Attacker Value

Very High

CVE-2020-9934 - macOS Transparency, Consent, and Control (TCC) Framework bypass

Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2020-9934 - macOS Transparency, Consent, and Control (TCC) Framework bypass

Disclosure Date: October 16, 2020 •

CVE-2020-9934 CVSS v3 Base Score: 5.5

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

Bypass the macOS TCC Framework

Description

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

Add Assessment

busterb (321)

August 03, 2020 10:42pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Vulnerable in default configuration Authenticated

Technical Analysis

Matt Shockley wrote a nice blog post, noted by @timwr and @ccondon-r7, on how to trivially bypass the TCC framework in MacOS by modifying the $HOME environment variable to point to an arbitrary TCC entitlement database that the attacker controls. What this means is that a post-exploitation implant will have an easy time bypassing TCC to access all files available to a user without any prompting.

However, since this is a relatively new feature in Catalina, users of earlier macOS versions were already ‘vulnerable’ simply because this feature was not available. It may be some time before users expect this to be a real security boundary on macOS, though on iOS it is definitely more of an expectation.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

apple

Products

ipados,
iphone os,
mac os x

Metasploit Modules

Bypass the macOS TCC Framework (https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/escalate/tccbypass.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
News Article or Blog (https://www.bleepingcomputer.com/news/security/new-cloudmensis-malware-backdoors-macs-to-steal-victims-data/)

Reported: September 09, 2022 1:42pm UTC (1 year ago) • Edited 1 year ago

References

Canonical

CVE-2020-9934 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9934)

Miscellaneous

https://support.apple.com/HT211289

https://support.apple.com/HT211288

Rapid7

Very High