CERTVU:127371iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the XNU kernel lio_listio() function
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.8%
Overview
iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the GNU kernel’s lio_listio() function, which can allow a malicious application to achieve unsandboxed, kernel-level code execution.
Description
iOS, iPadOS, tvOS, watchOS, and macOS contain an a double-free vulnerability in the GNU kernel’s lio_listio() function. This can lead to triggering a use-after-free condition. This vulnerability can allow code execution with kernel privileges. This vulnerability is being used by the public unc0ver 5.0 jailbreak utility, which claims to support all devices from iOS 11 through 13.5, excluding versions 12.3-12.3.2 and 12.4.2-12.4.5. It is also reported that this jailbreak works on modern iOS devices that use a CPU that supports Pointer Authentication Code (PAC), which indicates that PAC does not prevent exploitation of this vulnerability.
It is reported that this vulnerability is a regression of the vulnerability known as LightSpeed.
Impact
By convincing a user to run a malicious application on a device running iOS, iPadOS, tvOS, watchOS, or macOS, an attacker may be able to achieve arbitrary code execution in the kernel that is not restricted by sandboxes or other OS protections.
Solution
Apply updates
This issue is addressed in the following OS updates from Apple:
macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003 High Sierra
tvOS 13.4.6
watchOS 6.2.6
iOS 13.5.1 and iPadOS 13.5.1
Acknowledgements
This document was written by Will Dormann.
Vendor Information
127371
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Apple __ Affected
| Updated: 2020-06-19 CVE-2020-9859 | Affected |
|---|
Vendor Statement
We have not received a statement from the vendor.
References
- <https://support.apple.com/en-us/HT211214>
- <https://support.apple.com/en-us/HT211215>
- <https://support.apple.com/en-us/HT211216>
- <https://support.apple.com/en-us/HT211217>
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 6.8 | E:F/RL:U/RC:C |
| Environmental | 6.8 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- <https://support.apple.com/en-us/HT211214>
- <https://support.apple.com/en-us/HT211215>
- <https://support.apple.com/en-us/HT211216>
- <https://support.apple.com/en-us/HT211217>
- <https://unc0ver.dev/>
- <https://googleprojectzero.blogspot.com/2020/07/how-to-unc0ver-0-day-in-4-hours-or-less.html>
- <https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html>
Other Information
| CVE IDs: | CVE-2020-9859 |
|---|---|
| Date Public: | 2020-05-23 Date First Published: |
References
googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html
googleprojectzero.blogspot.com/2020/07/how-to-unc0ver-0-day-in-4-hours-or-less.html
support.apple.com/en-us/HT211214
support.apple.com/en-us/HT211215
support.apple.com/en-us/HT211216
support.apple.com/en-us/HT211217
unc0ver.dev/
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.8%