Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2020-9934 - macOS Transparency, Consent, and Control (TCC) Framework bypass

Disclosure Date: October 16, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module

Description

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

Add Assessment

3
Ratings
Technical Analysis

Matt Shockley wrote a nice blog post, noted by @timwr and @ccondon-r7, on how to trivially bypass the TCC framework in MacOS by modifying the $HOME environment variable to point to an arbitrary TCC entitlement database that the attacker controls. What this means is that a post-exploitation implant will have an easy time bypassing TCC to access all files available to a user without any prompting.

However, since this is a relatively new feature in Catalina, users of earlier macOS versions were already ‘vulnerable’ simply because this feature was not available. It may be some time before users expect this to be a real security boundary on macOS, though on iOS it is definitely more of an expectation.

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • Apple

Products

  • iOS,
  • macOS

Additional Info

Technical Analysis