Sign-up

ID

VAR-202004-1956


CVE

CVE-2020-9769


TITLE

macOS Catalina Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003572

DESCRIPTION

Multiple issues were addressed by updating to version 8.1.1850. This issue is fixed in macOS Catalina 10.15.4. Multiple issues in Vim. macOS Catalina There is an unspecified vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Apple macOS Catalina is a set of dedicated operating systems developed by Apple for Mac computers. Vim is one of the text editor components. A security vulnerability exists in the Vim component of Apple macOS Catalina versions prior to 10.15.4. No detailed vulnerability details were provided at this time. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-03-24-2 macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra are now available and address the following: Apple HSSPI Support Available for: macOS Catalina 10.15.3 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team AppleGraphicsControl Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed with improved state management. CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team AppleMobileFileIntegrity Available for: macOS Catalina 10.15.3 Impact: An application may be able to use arbitrary entitlements Description: This issue was addressed with improved checks. CVE-2020-3883: Linus Henze (pinauten.de) Bluetooth Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-3907: Yu Wang of Didi Research America CVE-2020-3908: Yu Wang of Didi Research America CVE-2020-3912: Yu Wang of Didi Research America Bluetooth Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab Bluetooth Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2020-3892: Yu Wang of Didi Research America CVE-2020-3893: Yu Wang of Didi Research America CVE-2020-3905: Yu Wang of Didi Research America Call History Available for: macOS Catalina 10.15.3 Impact: A malicious application may be able to access a user's call history Description: This issue was addressed with a new entitlement. CVE-2020-9776: Benjamin Randazzo (@____benjamin) CoreFoundation Available for: macOS Catalina 10.15.3 Impact: A malicious application may be able to elevate privileges Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG FaceTime Available for: macOS Catalina 10.15.3 Impact: A local user may be able to view sensitive user information Description: A logic issue was addressed with improved state management. CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion - Israel Institute of Technology Icons Available for: macOS Catalina 10.15.3 Impact: A malicious application may be able to identify what other applications a user has installed Description: The issue was addressed with improved handling of icon caches. CVE-2020-9773: Chilik Tamir of Zimperium zLabs Intel Graphics Driver Available for: macOS Catalina 10.15.3 Impact: A malicious application may disclose restricted memory Description: An information disclosure issue was addressed with improved state management. CVE-2019-14615: Wenjian HE of Hong Kong University of Science and Technology, Wei Zhang of Hong Kong University of Science and Technology, Sharad Sinha of Indian Institute of Technology Goa, and Sanjeev Das of University of North Carolina IOHIDFamily Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2020-3919: an anonymous researcher IOThunderboltFamily Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: An application may be able to gain elevated privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington Kernel Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: An application may be able to read restricted memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2020-3914: pattern-f (@pattern_F_) of WaCai Kernel Available for: macOS Catalina 10.15.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed with improved state management. CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team libxml2 Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: Multiple issues in libxml2 Description: A buffer overflow was addressed with improved bounds checking. CVE-2020-3909: LGTM.com CVE-2020-3911: found by OSS-Fuzz libxml2 Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: Multiple issues in libxml2 Description: A buffer overflow was addressed with improved size validation. CVE-2020-3910: LGTM.com Mail Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3 Impact: A remote attacker may be able to cause arbitrary javascript code execution Description: An injection issue was addressed with improved validation. CVE-2020-3884: Apple sudo Available for: macOS Catalina 10.15.3 Impact: An attacker may be able to run commands as a non-existent user Description: This issue was addressed by updating to sudo version 1.8.31. CVE-2019-19232 TCC Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3 Impact: A maliciously crafted application may be able to bypass code signing enforcement Description: A logic issue was addressed with improved restrictions. CVE-2020-9769: Steve Hahn from LinkedIn Additional recognition CoreText We would like to acknowledge an anonymous researcher for their assistance. FireWire Audio We would like to acknowledge Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington for their assistance. FontParser We would like to acknowledge Matthew Denton of Google Chrome for their assistance. Install Framework Legacy We would like to acknowledge Pris Sears of Virginia Tech, Tom Lynch of UAL Creative Computing Institute, and an anonymous researcher for their assistance. LinkPresentation We would like to acknowledge Travis for their assistance. OpenSSH We would like to acknowledge an anonymous researcher for their assistance. rapportd We would like to acknowledge Alexander Heinrich (@Sn0wfreeze) of Technische Universität Darmstadt for their assistance. Sidecar We would like to acknowledge Rick Backley (@rback_sec) for their assistance. Installation note: macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ -----BEGIN PGP SIGNATURE----- Version: BCPG v1.64 iQIcBAEDCAAGBQJeejDOAAoJEAc+Lhnt8tDNTtkP/RRnnsXeWXRjFHoRf7P+npKE Je0ZSoqv08Tgmv+Q0voSdCFZjFAqKXviVgZTGFT7LsuUWqdZEATxkB1fevt7t3Bl qXWNGpna3mGqWl6I2cWKxVOHT9fysO/31ADgFIwgOWSodvImNdp/JBpOcyRqcFJc B3TpNq8xtKSpWBVrq0TVHRWMu87VJHkGi78jAJ4x7qgXyWICf3usa9ajqYqzV99m 6/DrIH4s2Um2zJVi4YyzK0+rR2B2Q1eO8CFuzUB9D1HKCEnRXoRfALFC8v83p7cC m46CarISSrnMEYkxNhxsOGQbcMyBR3GDNZlo8/Y+Syqgwp3AKWbRFUDDM9vbCv6F z1fkWBmGftcd6G8dqO0dMAR6asglg9z2/GF/+3pZh5Mmmd7EBX+YeA84BhDTTsTs 671Af+F8OxSqgRV8qe+dbiFbD9qylM1luJD98PzoiFMO3h29fS41ofpuA6BTrdQN JPWY0NwTS11xQb11LHhXm7nF9vsrCIIspauOfkLbpCx6AWJQ/FpPyIXBYUEJ50ho NWWv4jmT+v8PSC2tSM0yMeI4OJX/+yd91uKLqzGGr1x2zshrXoMx0VDpg8HJkLfT y7CSgFrBGO8AgrcsZ6I8nDleoBsrEpLh2qEil7GexwoyUrVvfxCueW0shv4Oo4gf ZHp7Jd+FZIoCP69dNnxG =AUHy -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2020-9769 // JVNDB: JVNDB-2020-003572 // VULHUB: VHN-187894 // PACKETSTORM: 156894

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.15.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.15.3

Trust: 0.8

sources: JVNDB: JVNDB-2020-003572 // NVD: CVE-2020-9769

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9769
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-003572
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202003-1548
value: CRITICAL

Trust: 0.6

VULHUB: VHN-187894
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-9769
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003572
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187894
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9769
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003572
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187894 // JVNDB: JVNDB-2020-003572 // CNNVD: CNNVD-202003-1548 // NVD: CVE-2020-9769

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2020-9769

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1548

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202003-1548

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003572

PATCH
title:HT211100url:https://support.apple.com/en-us/HT211100
Trust: 0.8
title:HT211100url:https://support.apple.com/ja-jp/HT211100
Trust: 0.8
title:Apple macOS Catalina Vim Fixes for component security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112960
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-003572 // 
            
            
            
            CNNVD: CNNVD-202003-1548

EXTERNAL IDS
db:NVDid:CVE-2020-9769
Trust: 2.6
db:JVNid:JVNVU96545608
Trust: 0.8
db:JVNDBid:JVNDB-2020-003572
Trust: 0.8
db:CNNVDid:CNNVD-202003-1548
Trust: 0.6
db:CNVDid:CNVD-2020-29867
Trust: 0.1
db:VULHUBid:VHN-187894
Trust: 0.1
db:PACKETSTORMid:156894
Trust: 0.1
sources:
            
            
            VULHUB: VHN-187894 // 
            
            
            
            JVNDB: JVNDB-2020-003572 // 
            
            
            
            PACKETSTORM: 156894 // 
            
            
            
            CNNVD: CNNVD-202003-1548 // 
            
            
            
            NVD: CVE-2020-9769

REFERENCES
url:https://support.apple.com/ht211100
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-9769
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9769
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96545608/
Trust: 0.8
url:https://support.apple.com/en-us/ht211100
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-3911
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3883
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3903
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3851
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-19232
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9785
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3905
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3907
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3893
Trust: 0.1
url:https://support.apple.com/downloads/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3909
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9773
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3884
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3881
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3906
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3912
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-8853
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3908
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3914
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3910
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3892
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3919
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3913
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9776
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-14615
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3904
Trust: 0.1
sources:
            
            
            VULHUB: VHN-187894 // 
            
            
            
            JVNDB: JVNDB-2020-003572 // 
            
            
            
            PACKETSTORM: 156894 // 
            
            
            
            CNNVD: CNNVD-202003-1548 // 
            
            
            
            NVD: CVE-2020-9769

CREDITS
Apple
Trust: 0.1
sources:
            
            
            PACKETSTORM: 156894

SOURCES
db:VULHUBid:VHN-187894
db:JVNDBid:JVNDB-2020-003572
db:PACKETSTORMid:156894
db:CNNVDid:CNNVD-202003-1548
db:NVDid:CVE-2020-9769

LAST UPDATE DATE
2024-11-23T20:38:48.762000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-187894date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003572date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1548date:2021-10-29T00:00:00
db:NVDid:CVE-2020-9769date:2024-11-21T05:41:14.533

SOURCES RELEASE DATE
db:VULHUBid:VHN-187894date:2020-04-01T00:00:00
db:JVNDBid:JVNDB-2020-003572date:2020-04-20T00:00:00
db:PACKETSTORMid:156894date:2020-03-25T14:22:53
db:CNNVDid:CNNVD-202003-1548date:2020-03-25T00:00:00
db:NVDid:CVE-2020-9769date:2020-04-01T18:15:17.630