ID CVE-2020-3892 Type cve Reporter cve@mitre.org Modified 2020-04-02T17:06:00
Description
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges.
{"openvas": [{"lastseen": "2020-04-04T00:39:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3919", "CVE-2020-3911", "CVE-2020-3892", "CVE-2020-3914", "CVE-2020-3912", "CVE-2020-3893", "CVE-2020-3904", "CVE-2020-3907", "CVE-2020-3910", "CVE-2020-3905", "CVE-2020-3909", "CVE-2020-3908"], "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2020-03-29T00:00:00", "published": "2020-03-26T00:00:00", "id": "OPENVAS:1361412562310816722", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816722", "type": "openvas", "title": "Apple MacOSX Security Updates(HT211100)-01", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816722\");\n script_version(\"2020-03-29T02:34:12+0000\");\n script_cve_id(\"CVE-2020-3907\", \"CVE-2020-3908\", \"CVE-2020-3912\", \"CVE-2020-3892\",\n \"CVE-2020-3893\", \"CVE-2020-3905\", \"CVE-2020-3904\", \"CVE-2020-3909\",\n \"CVE-2020-3911\", \"CVE-2020-3914\", \"CVE-2020-3910\", \"CVE-2020-3919\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-03-29 02:34:12 +0000 (Sun, 29 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-26 12:25:12 +0530 (Thu, 26 Mar 2020)\");\n script_name(\"Apple MacOSX Security Updates(HT211100)-01\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An out-of-bounds read issue due to improper input validation.\n\n - A memory corruption issue due to improper input validation.\n\n - Multiple memory corruption issues due to improper state management.\n\n - Multiple buffer overflow issues due to improper bounds checking and size validation.\n\n - A memory initialization issue due to improper memory handling.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows remote attackers\n to execute arbitrary code with kernel privileges, read kernel memory, and launch\n further attacks\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.13.x through 10.13.6,\n 10.14.x through 10.14.6, and 10.15.x through 10.15.3\");\n\n script_tag(name:\"solution\", value:\"Apply Security Update 2020-002 for Apple\n Mac OS X version 10.13.x and 10.14.x, or upgrade to 10.15.4 or later. Please\n see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT211100\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"ssh_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName){\n exit (0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.1[345]\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nbuildVer = get_kb_item(\"ssh/login/osx_build\");\n\nif(osVer =~ \"^10\\.13\")\n{\n if(version_in_range(version:osVer, test_version:\"10.13\", test_version2:\"10.13.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.13.6\")\n {\n if(osVer == \"10.13.6\" && version_is_less(version:buildVer, test_version:\"17G12034\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nif(osVer =~ \"^10\\.14\")\n{\n if(version_in_range(version:osVer, test_version:\"10.14\", test_version2:\"10.14.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.14.6\")\n {\n if(osVer == \"10.14.6\" && version_is_less(version:buildVer, test_version:\"18G4032\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nelse if(version_in_range(version:osVer, test_version:\"10.15\", test_version2:\"10.15.3\")) {\n fix = \"10.15.4\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-14T15:43:52", "description": "The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.6 Security Update 2020-002,\n10.14.x prior to 10.14.6 Security Update 2020-002, or 10.15.x prior to 10.15.4. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor\n Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.\n (CVE-2019-14615)\n\n - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can\n impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.\n NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo\n as a user not present in the local password database is an intentional feature. Because this behavior\n surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default\n being disabled. However, this does not change the fact that sudo was behaving as intended, and as\n documented, in earlier versions. (CVE-2019-19232)\n\n - An out-of-bounds read error exists in Bluetooth due to improper input sanitization. An attacker can\n exploit this to read restricted memory. (CVE-2019-8853)\n\n - Privilege escalation vulnerabilities exist in IOThunderboltFamily (due to a use-after-free flaw), and in\n CUPS (due to a memory corruption issue). An attacker can exploit this to gain elevated access to the \n system. (CVE-2020-3851, CVE-2020-3898)\n\n - An information disclosure vulnerability exists in FaceTime, Icons, and Call History. An unauthenticated,\n local attacker can exploit this, via malicious applications, to disclose potentially sensitive\n information. (CVE-2020-3881, CVE-2020-9773, CVE-2020-9776)\n\n - An information disclosure vulnerability exists in Sandbox. A local user can exploit this to view\n sensitvie user information. (CVE-2020-3918)\n\n - An unspecified issue exists in AppleMobileFileIntegrity due to an unspecified reason. An attacker can\n exploit this to use arbitrary entitlements. (CVE-2020-3883)\n\n - An arbitrary code execution vulnerability exists in Mail due to improper input validation. An\n unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary\n JavaScript code. (CVE-2020-3884)\n\n - An arbitrary file read vulnerability exists in Time Machine due to improper state management. An\n unauthenticated, local attacker can exploit this to read arbitrary files and disclose sensitive\n information. (CVE-2020-3889)\n\n - An arbitrary code execution vulnerability exists in AppleGraphicsControl, Bluetooth, IOHIDFamily, and the\n kernel due to memory initialization and corruption issues. An attacker can exploit this to bypass\n authentication and execute arbitrary commands with kernel privileges. (CVE-2020-3892, CVE-2020-3893,\n CVE-2020-3904, CVE-2020-3905, CVE-2020-3919, CVE-2020-9785)\n\n - An arbitrary code execution vulnerability exists in Apple HSSPI Support due to a memory corruption issue.\n An attacker can exploit this to bypass authentication and execute arbitrary commands with system\n privileges. (CVE-2020-3903)\n\n - A logic issue exists in TCC due to an unspecified reason. An attacker can exploit this, via a maliciously\n crafted application, to cause bypass code signing. (CVE-2020-3906)\n\n - An out-of-bounds read error exists in Bluetooth due to improper input validation. An unauthenticated local\n attacker can exploit this to cause a denial of service or read kernel memory. (CVE-2020-3907,\n CVE-2020-3908, CVE-2020-3912)\n\n - A buffer overflow condition exists in libxml2 due to improper bounds checking and size validation. An\n attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.\n (CVE-2020-3909, CVE-2020-3910, CVE-2020-3911)\n\n - A privilege escalation vulnerability exists in due to improper permission validation. An unauthenticated,\n remote attacker can exploit this, to gain elevated access to the system. (CVE-2020-3913)\n\n - An information disclosure vulnerability exists in the kernel due to improper memory handling. An attacker\n can exploit this to read restricted memory. (CVE-2020-3914)\n\n - An arbitrary file overwrite vulnerability exists in Printing due improper path handlng. An attacker can \n exploit this to overwrite arbitrary files. (CVE-2020-3915)\n\n - Multiple unspecified issues exist in the Vim installation on macOS. An attacker can exploit this to cause\n an unknown impact. (CVE-2020-9769)\n\n - An unspecified vulnerability exists in sysdiagnose due to insufficient validation of user supplied input. \n An attacker could exploit this issue with partial impact on the confidentiality, integrity & availability\n of the application and/or system. (CVE-2020-9786)\n\n - An vulnerability exists in WebKit due to a logic flaw in restrictions. An attacker may exploit this flaw,\n as part of a more elaborate attack, to gain unauthorized access to the MacOS camera. (CVE-2020-9787)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-27T00:00:00", "title": "macOS 10.15.x < 10.15.4 / 10.14.x < 10.14.6 Security Update 2020-002 / 10.13.x < 10.13.6 Security Update 2020-002", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-9785", "CVE-2020-9773", "CVE-2020-3919", "CVE-2020-3911", "CVE-2020-9776", "CVE-2020-3892", "CVE-2020-3914", "CVE-2020-3881", "CVE-2020-9786", "CVE-2020-3906", "CVE-2020-3912", "CVE-2020-3893", "CVE-2020-3904", "CVE-2020-3907", "CVE-2020-9769", "CVE-2020-3883", "CVE-2020-3898", "CVE-2020-3910", "CVE-2020-3913", "CVE-2019-14615", "CVE-2020-3918", "CVE-2019-19232", "CVE-2020-3915", "CVE-2020-3903", "CVE-2020-9787", "CVE-2020-3889", "CVE-2020-3884", "CVE-2019-8853", "CVE-2020-3905", "CVE-2020-3851", "CVE-2020-3909", "CVE-2020-3908"], "modified": "2020-03-27T00:00:00", "cpe": ["cpe:/o:apple:macos", "cpe:/o:apple:mac_os_x"], "id": "MACOS_HT211100.NASL", "href": "https://www.tenable.com/plugins/nessus/134954", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134954);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\n \"CVE-2019-8853\",\n \"CVE-2019-14615\",\n \"CVE-2019-19232\",\n \"CVE-2020-3851\",\n \"CVE-2020-3881\",\n \"CVE-2020-3883\",\n \"CVE-2020-3884\",\n \"CVE-2020-3889\",\n \"CVE-2020-3892\",\n \"CVE-2020-3893\",\n \"CVE-2020-3898\",\n \"CVE-2020-3903\",\n \"CVE-2020-3904\",\n \"CVE-2020-3905\",\n \"CVE-2020-3906\",\n \"CVE-2020-3907\",\n \"CVE-2020-3908\",\n \"CVE-2020-3909\",\n \"CVE-2020-3910\",\n \"CVE-2020-3911\",\n \"CVE-2020-3912\",\n \"CVE-2020-3913\",\n \"CVE-2020-3914\",\n \"CVE-2020-3915\",\n \"CVE-2020-3918\",\n \"CVE-2020-3919\",\n \"CVE-2020-9769\",\n \"CVE-2020-9773\",\n \"CVE-2020-9776\",\n \"CVE-2020-9785\",\n \"CVE-2020-9786\",\n \"CVE-2020-9787\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT211100\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2020-03-20\");\n script_xref(name:\"IAVA\", value:\"2020-A-0120-S\");\n\n script_name(english:\"macOS 10.15.x < 10.15.4 / 10.14.x < 10.14.6 Security Update 2020-002 / 10.13.x < 10.13.6 Security Update 2020-002\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.6 Security Update 2020-002,\n10.14.x prior to 10.14.6 Security Update 2020-002, or 10.15.x prior to 10.15.4. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor\n Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.\n (CVE-2019-14615)\n\n - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can\n impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.\n NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo\n as a user not present in the local password database is an intentional feature. Because this behavior\n surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default\n being disabled. However, this does not change the fact that sudo was behaving as intended, and as\n documented, in earlier versions. (CVE-2019-19232)\n\n - An out-of-bounds read error exists in Bluetooth due to improper input sanitization. An attacker can\n exploit this to read restricted memory. (CVE-2019-8853)\n\n - Privilege escalation vulnerabilities exist in IOThunderboltFamily (due to a use-after-free flaw), and in\n CUPS (due to a memory corruption issue). An attacker can exploit this to gain elevated access to the \n system. (CVE-2020-3851, CVE-2020-3898)\n\n - An information disclosure vulnerability exists in FaceTime, Icons, and Call History. An unauthenticated,\n local attacker can exploit this, via malicious applications, to disclose potentially sensitive\n information. (CVE-2020-3881, CVE-2020-9773, CVE-2020-9776)\n\n - An information disclosure vulnerability exists in Sandbox. A local user can exploit this to view\n sensitvie user information. (CVE-2020-3918)\n\n - An unspecified issue exists in AppleMobileFileIntegrity due to an unspecified reason. An attacker can\n exploit this to use arbitrary entitlements. (CVE-2020-3883)\n\n - An arbitrary code execution vulnerability exists in Mail due to improper input validation. An\n unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary\n JavaScript code. (CVE-2020-3884)\n\n - An arbitrary file read vulnerability exists in Time Machine due to improper state management. An\n unauthenticated, local attacker can exploit this to read arbitrary files and disclose sensitive\n information. (CVE-2020-3889)\n\n - An arbitrary code execution vulnerability exists in AppleGraphicsControl, Bluetooth, IOHIDFamily, and the\n kernel due to memory initialization and corruption issues. An attacker can exploit this to bypass\n authentication and execute arbitrary commands with kernel privileges. (CVE-2020-3892, CVE-2020-3893,\n CVE-2020-3904, CVE-2020-3905, CVE-2020-3919, CVE-2020-9785)\n\n - An arbitrary code execution vulnerability exists in Apple HSSPI Support due to a memory corruption issue.\n An attacker can exploit this to bypass authentication and execute arbitrary commands with system\n privileges. (CVE-2020-3903)\n\n - A logic issue exists in TCC due to an unspecified reason. An attacker can exploit this, via a maliciously\n crafted application, to cause bypass code signing. (CVE-2020-3906)\n\n - An out-of-bounds read error exists in Bluetooth due to improper input validation. An unauthenticated local\n attacker can exploit this to cause a denial of service or read kernel memory. (CVE-2020-3907,\n CVE-2020-3908, CVE-2020-3912)\n\n - A buffer overflow condition exists in libxml2 due to improper bounds checking and size validation. An\n attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.\n (CVE-2020-3909, CVE-2020-3910, CVE-2020-3911)\n\n - A privilege escalation vulnerability exists in due to improper permission validation. An unauthenticated,\n remote attacker can exploit this, to gain elevated access to the system. (CVE-2020-3913)\n\n - An information disclosure vulnerability exists in the kernel due to improper memory handling. An attacker\n can exploit this to read restricted memory. (CVE-2020-3914)\n\n - An arbitrary file overwrite vulnerability exists in Printing due improper path handlng. An attacker can \n exploit this to overwrite arbitrary files. (CVE-2020-3915)\n\n - Multiple unspecified issues exist in the Vim installation on macOS. An attacker can exploit this to cause\n an unknown impact. (CVE-2020-9769)\n\n - An unspecified vulnerability exists in sysdiagnose due to insufficient validation of user supplied input. \n An attacker could exploit this issue with partial impact on the confidentiality, integrity & availability\n of the application and/or system. (CVE-2020-9786)\n\n - An vulnerability exists in WebKit due to a logic flaw in restrictions. An attacker may exploit this flaw,\n as part of a more elaborate attack, to gain unauthorized access to the MacOS camera. (CVE-2020-9787)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT211100\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 10.15.4 / 10.14.x < 10.14.6 Security Update 2020-002 / 10.13.x < 10.13.6 Security Update 2020-002 or\nlater\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9785\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('lists.inc');\ninclude('vcf_extras_apple.inc');\n\napp_info = vcf::apple::macos::get_app_info();\n\nconstraints = [\n { 'max_version' : '10.13.6', 'min_version' : '10.13', 'fixed_build' : '17G12034', 'fixed_display' : '10.13.6 Security Update 2020-002' },\n { 'max_version' : '10.14.6', 'min_version' : '10.14', 'fixed_build' : '18G4032', 'fixed_display' : '10.14.6 Security Update 2020-002' },\n { 'max_version' : '10.15.3', 'min_version' : '10.15', 'fixed_version' : '10.15.4', 'fixed_display' : 'macOS Catalina 10.15.4' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2020-12-24T20:42:33", "bulletinFamily": "software", "cvelist": ["CVE-2020-9785", "CVE-2020-9771", "CVE-2020-9772", "CVE-2020-3919", "CVE-2020-3911", "CVE-2020-9779", "CVE-2020-9776", "CVE-2020-9828", "CVE-2020-3892", "CVE-2020-3914", "CVE-2020-3881", "CVE-2020-3902", "CVE-2020-9786", "CVE-2020-3906", "CVE-2020-3912", "CVE-2020-3893", "CVE-2020-3904", "CVE-2020-3907", "CVE-2020-9769", "CVE-2020-3883", "CVE-2020-9775", "CVE-2020-3898", "CVE-2020-3910", "CVE-2020-3913", "CVE-2020-6616", "CVE-2019-14615", "CVE-2020-3918", "CVE-2019-19232", "CVE-2020-3915", "CVE-2020-3903", "CVE-2020-9787", "CVE-2020-3889", "CVE-2020-3884", "CVE-2019-8853", "CVE-2020-9829", "CVE-2020-3905", "CVE-2020-3851", "CVE-2020-9853", "CVE-2020-3909", "CVE-2020-3908"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra\n\nReleased March 24, 2020\n\n**Accounts**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9772: Allison Husain of UC Berkeley\n\nEntry added May 21, 2020\n\n**Apple HSSPI Support**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2020-3903: Proteas of Qihoo 360 Nirvan Team\n\nEntry updated May 1, 2020\n\n**AppleGraphicsControl**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved state management.\n\nCVE-2020-3904: Proteas of Qihoo 360 Nirvan Team\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: An application may be able to use arbitrary entitlements\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-3883: Linus Henze (pinauten.de)\n\n**Bluetooth**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.\n\nCVE-2020-6616: J\u00f6rn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab\n\nEntry added May 21, 2020\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2020-9853: Yu Wang of Didi Research America\n\nEntry added May 21, 2020\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-3907: Yu Wang of Didi Research America\n\nCVE-2020-3908: Yu Wang of Didi Research America\n\nCVE-2020-3912: Yu Wang of Didi Research America\n\nCVE-2020-9779: Yu Wang of Didi Research America\n\nEntry updated September 21, 2020\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-3892: Yu Wang of Didi Research America\n\nCVE-2020-3893: Yu Wang of Didi Research America\n\nCVE-2020-3905: Yu Wang of Didi Research America\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab\n\n**Call History**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to access a user's call history\n\nDescription: This issue was addressed with a new entitlement.\n\nCVE-2020-9776: Benjamin Randazzo (@____benjamin)\n\n**CoreBluetooth**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A remote attacker may be able to leak sensitive user information\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab\n\nEntry added May 13, 2020\n\n**CoreFoundation**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A permissions issue existed. This issue was addressed with improved permission validation.\n\nCVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG\n\n**CoreText**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: Processing a maliciously crafted text message may lead to application denial of service\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam\u2019s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com\n\nEntry added May 21, 2020\n\n**CUPS**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2020-3898: Stephan Zeisberg (github.com/stze) of Security Research Labs (srlabs.de)\n\nEntry added April 8, 2020\n\n**FaceTime**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion - Israel Institute of Technology\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A malicious application may disclose restricted memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2019-14615: Wenjian HE of Hong Kong University of Science and Technology, Wei Zhang of Hong Kong University of Science and Technology, Sharad Sinha of Indian Institute of Technology Goa, and Sanjeev Das of University of North Carolina\n\n**IOHIDFamily**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-3919: Alex Plaskett of F-Secure Consulting\n\nEntry updated May 21, 2020\n\n**IOThunderboltFamily**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-3914: pattern-f (@pattern_F_) of WaCai\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved state management.\n\nCVE-2020-9785: Proteas of Qihoo 360 Nirvan Team\n\n**libxml2**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3\n\nImpact: Multiple issues in libxml2\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-3909: LGTM.com\n\nCVE-2020-3911: found by OSS-Fuzz\n\n**libxml2**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3\n\nImpact: Multiple issues in libxml2\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2020-3910: LGTM.com\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: A remote attacker may be able to cause arbitrary javascript code execution\n\nDescription: An injection issue was addressed with improved validation.\n\nCVE-2020-3884: Apple\n\n**Printing**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-3915: An anonymous researcher working with iDefense Labs (https://vcp.idefense.com/), HyungSeok Han (DaramG) @Theori working with TrendMicro\u2019s Zero Day Initiative\n\nEntry added May 1, 2020\n\n**Safari**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A user's private browsing activity may be unexpectedly saved in Screen Time\n\nDescription: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.\n\nCVE-2020-9775: Andrian (@retroplasma), Marat Turaev, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland\n\nEntry added May 13, 2020\n\n**Sandbox**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A user may gain access to protected parts of the file system\n\nDescription: This issue was addressed with a new entitlement.\n\nCVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added May 21, 2020\n\n**Sandbox**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2020-3918: an anonymous researcher, Augusto Alvarez of Outcourse Limited\n\nEntry added April 8, 2020, updated May 21, 2020\n\n**sudo**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: An attacker may be able to run commands as a non-existent user\n\nDescription: This issue was addressed by updating to sudo version 1.8.31.\n\nCVE-2019-19232\n\n**sysdiagnose**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to trigger a sysdiagnose\n\nDescription: This issue was addressed with improved checks\n\nCVE-2020-9786: Dayton Pidhirney (@_watbulb) of Seekintoo (@seekintoo)\n\nEntry added April 4, 2020\n\n**TCC**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.3\n\nImpact: A maliciously crafted application may be able to bypass code signing enforcement\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-3906: Patrick Wardle of Jamf\n\n**Time Machine**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-3889: Lasse Trolle Borup of Danish Cyber Defence\n\n**Vim**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: Multiple issues in Vim\n\nDescription: Multiple issues were addressed by updating to version 8.1.1850.\n\nCVE-2020-9769: Steve Hahn from LinkedIn\n\n**WebKit**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: Some websites may not have appeared in Safari Preferences\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9787: Ryan Pickren (ryanpickren.com)\n\nEntry added April 8, 2020\n\n**WebKit**\n\nAvailable for: macOS Catalina 10.15.3\n\nImpact: Processing maliciously crafted web content may lead to a cross site scripting attack\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2020-3902: Yi\u011fit Can YILMAZ (@yilmazcanyigit)\n\nEntry added July 28, 2020\n\n\n\n## Additional recognition\n\n**CoreText**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\n**FireWire Audio**\n\nWe would like to acknowledge Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington for their assistance.\n\n**FontParser**\n\nWe would like to acknowledge Matthew Denton of Google Chrome for their assistance.\n\n**Installer**\n\nWe would like to acknowledge Pris Sears of Virginia Tech, Tom Lynch of UAL Creative Computing Institute, an anonymous researcher, an anonymous researcher for their assistance.\n\nEntry added December 15, 2020\n\n**Install Framework Legacy**\n\nWe would like to acknowledge Pris Sears of Virginia Tech, Tom Lynch of UAL Creative Computing Institute, and an anonymous researcher for their assistance.\n\n**LinkPresentation**\n\nWe would like to acknowledge Travis for their assistance.\n\n**OpenSSH**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\n**rapportd**\n\nWe would like to acknowledge Alexander Heinrich (@Sn0wfreeze) of Technische Universit\u00e4t Darmstadt for their assistance.\n\n**Sidecar**\n\nWe would like to acknowledge Rick Backley (@rback_sec) for their assistance.\n\n**sudo**\n\nWe would like to acknowledge Giorgio Oppo (linkedin.com/in/giorgio-oppo/) for their assistance.\n\nEntry added April 4, 2020\n", "edition": 8, "modified": "2020-12-15T06:13:57", "published": "2020-12-15T06:13:57", "id": "APPLE:HT211100", "href": "https://support.apple.com/kb/HT211100", "title": "About the security content of macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
