Sign-up

ID

VAR-202006-1650


CVE

CVE-2020-9801


TITLE

Safari Logic vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006256

DESCRIPTION

A logic issue was addressed with improved restrictions. This issue is fixed in Safari 13.1.1. A malicious process may cause Safari to launch an application. This vulnerability allows local attackers to escalate privileges on affected installations of Apple Safari. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the handling of symbolic links. The issue results from the improper validation of symbolic links prior to performing operations on them. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the kernel. Apple Safari is a web browser of Apple (Apple), the default browser included with Mac OS X and iOS operating systems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-05-26-7 Safari 13.1.1 Safari 13.1.1 is now available and addresses the following: Safari Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious process may cause Safari to launch an application Description: A logic issue was addressed with improved restrictions. CVE-2020-9801: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro’s Zero Day Initiative WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A logic issue was addressed with improved restrictions. CVE-2020-9802: Samuel Groß of Google Project Zero WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved restrictions. CVE-2020-9805: an anonymous researcher WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-9806: Wen Xu of SSLab at Georgia Tech CVE-2020-9807: Wen Xu of SSLab at Georgia Tech WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause arbitrary code execution Description: A logic issue was addressed with improved restrictions. CVE-2020-9850: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro’s Zero Day Initiative WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: An input validation issue was addressed with improved input validation. CVE-2020-9843: Ryan Pickren (ryanpickren.com) WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2020-9803: Wen Xu of SSLab at Georgia Tech WebRTC Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: An access issue was addressed with improved memory management. CVE-2019-20503: Natalie Silvanovich of Google Project Zero Additional recognition WebKit We would like to acknowledge Aidan Dunlap of UT Austin for their assistance. Installation note: Safari 13.1.1 may be obtained from the Mac App Store. -----BEGIN PGP SIGNATURE----- Version: BCPG v1.64 iQIcBAEDCAAGBQJezV7rAAoJEAc+Lhnt8tDNAB4P/ii6fKM9mmFamwvDreABeVd7 u32JJjalk28WkDgudvnqa9cY/mzHtUwYODyrCaL3kjPisKiD7rRabVOWk8/rD6wi m6c8uk+g7of77qJ5m5y5g+TJdtYLxGItzJO5m9v+CqGrfX3hyCuIjnhsHrGWeqYF oYH4Xlkrw4Piy+Tw6jN5nBnR1I+d0C/h95SxOUIHae9HEjPmggF5QOfxMqzGNXWx MVO0jWoQL2Z4OzxMvmbNSQ5rkKeJNheedBdMuOMnh03o9wuyjgZV3aPEOMxVgE3g ZcCNIc1xjnGDiwhLab4/jqj7Py/EdpT04RADxymEgKpktLCIbSRi7skUkOvF7+zN IR8aVq5j4DXyJkadho4vjBhnkj0wCckyhsTw7kQ5ZGLqruFuB09ZwNHKhl9OcnXc TuamaVUn/ADC28NU2Fkf+/RaeYSvHSbvrDeDR0PDyCx5rLJwide/2UxNEZL4H8KD 2oIEr/I7BVeHcP8D0YYs3INtqJ3Yz0+P06bTvWh46bRw8uPkizcRS5IbpC+Sd5dh jd4efVe4ltTAQeDc91iSUnKy1vYpl/iOagHtO0CntnA/Fl44WEMR5NJDCQmQvA0i L8UWLAuJTZ1EngIlWv7ueqyhSp5qayX0PVQjAEpLxhgxmQXMmb9A83YMJYt7ORdk b2R6ImCxrVcNhr0o2lWK =MjL1 -----END PGP SIGNATURE-----

Trust: 2.52

sources: NVD: CVE-2020-9801 // JVNDB: JVNDB-2020-006256 // ZDI: ZDI-20-679 // VULHUB: VHN-187926 // VULMON: CVE-2020-9801 // PACKETSTORM: 157876

AFFECTED PRODUCTS

vendor:applemodel:safariscope:ltversion:13.1.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:13.1.1 未満 (macos catalina)

Trust: 0.8

vendor:applemodel:safariscope:eqversion:13.1.1 未満 (macos high sierra)

Trust: 0.8

vendor:applemodel:safariscope:eqversion:13.1.1 未満 (macos mojave)

Trust: 0.8

vendor:applemodel:safariscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-20-679 // JVNDB: JVNDB-2020-006256 // NVD: CVE-2020-9801

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9801
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006256
value: MEDIUM

Trust: 0.8

ZDI: CVE-2020-9801
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-202005-1262
value: MEDIUM

Trust: 0.6

VULHUB: VHN-187926
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-9801
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9801
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006256
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187926
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9801
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.8
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006256
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-9801
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.8
impactScore: 3.4
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-679 // VULHUB: VHN-187926 // VULMON: CVE-2020-9801 // JVNDB: JVNDB-2020-006256 // CNNVD: CNNVD-202005-1262 // NVD: CVE-2020-9801

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2020-9801

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202005-1262

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202005-1262

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006256

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-187926

PATCH
title:HT211177url:https://support.apple.com/en-us/HT211177
Trust: 0.8
title:HT211177url:https://support.apple.com/ja-jp/HT211177
Trust: 0.8
title: - url:https://support.apple.com/en-gb/HT211177
Trust: 0.7
title:Apple Safari Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119863
Trust: 0.6
title:The Registerurl:https://www.theregister.co.uk/2020/05/28/apple_may_updates/
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-679 // 
            
            
            
            VULMON: CVE-2020-9801 // 
            
            
            
            JVNDB: JVNDB-2020-006256 // 
            
            
            
            CNNVD: CNNVD-202005-1262

EXTERNAL IDS
db:NVDid:CVE-2020-9801
Trust: 3.4
db:ZDIid:ZDI-20-679
Trust: 1.3
db:PACKETSTORMid:159447
Trust: 0.8
db:JVNid:JVNVU98042162
Trust: 0.8
db:JVNDBid:JVNDB-2020-006256
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-10774
Trust: 0.7
db:CNNVDid:CNNVD-202005-1262
Trust: 0.7
db:PACKETSTORMid:157876
Trust: 0.7
db:AUSCERTid:ESB-2020.1867
Trust: 0.6
db:VULHUBid:VHN-187926
Trust: 0.1
db:VULMONid:CVE-2020-9801
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-679 // 
            
            
            
            VULHUB: VHN-187926 // 
            
            
            
            VULMON: CVE-2020-9801 // 
            
            
            
            JVNDB: JVNDB-2020-006256 // 
            
            
            
            PACKETSTORM: 157876 // 
            
            
            
            CNNVD: CNNVD-202005-1262 // 
            
            
            
            NVD: CVE-2020-9801

REFERENCES
url:https://support.apple.com/ht211177
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-9801
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9801
Trust: 0.8
url:http://jvn.jp/vu/jvnvu98042162/index.html
Trust: 0.8
url:https://support.apple.com/en-gb/ht211177
Trust: 0.7
url:https://packetstormsecurity.com/files/159447/safari-type-confusion-sandbox-escape.html
Trust: 0.7
url:https://www.zerodayinitiative.com/advisories/zdi-20-679/
Trust: 0.6
url:https://support.apple.com/kb/ht211177
Trust: 0.6
url:https://support.apple.com/en-us/ht211177
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1867/
Trust: 0.6
url:https://packetstormsecurity.com/files/157876/apple-security-advisory-2020-05-26-7.html
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.rapid7.com/db/modules/exploit/osx/browser/safari_in_operator_side_effect/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9800
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9807
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9806
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9843
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9805
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9803
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9802
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-20503
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9850
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-679 // 
            
            
            
            VULHUB: VHN-187926 // 
            
            
            
            VULMON: CVE-2020-9801 // 
            
            
            
            JVNDB: JVNDB-2020-006256 // 
            
            
            
            PACKETSTORM: 157876 // 
            
            
            
            CNNVD: CNNVD-202005-1262 // 
            
            
            
            NVD: CVE-2020-9801

CREDITS
@jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-679

SOURCES
db:ZDIid:ZDI-20-679
db:VULHUBid:VHN-187926
db:VULMONid:CVE-2020-9801
db:JVNDBid:JVNDB-2020-006256
db:PACKETSTORMid:157876
db:CNNVDid:CNNVD-202005-1262
db:NVDid:CVE-2020-9801

LAST UPDATE DATE
2024-11-23T19:36:03.637000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-679date:2020-05-28T00:00:00
db:VULHUBid:VHN-187926date:2022-03-31T00:00:00
db:VULMONid:CVE-2020-9801date:2022-03-31T00:00:00
db:JVNDBid:JVNDB-2020-006256date:2020-07-03T00:00:00
db:CNNVDid:CNNVD-202005-1262date:2021-10-29T00:00:00
db:NVDid:CVE-2020-9801date:2024-11-21T05:41:18.557

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-679date:2020-05-28T00:00:00
db:VULHUBid:VHN-187926date:2020-06-09T00:00:00
db:VULMONid:CVE-2020-9801date:2020-06-09T00:00:00
db:JVNDBid:JVNDB-2020-006256date:2020-07-03T00:00:00
db:PACKETSTORMid:157876date:2020-05-29T19:03:50
db:CNNVDid:CNNVD-202005-1262date:2020-05-26T00:00:00
db:NVDid:CVE-2020-9801date:2020-06-09T17:15:12.097