Lucene search

AttackerKBAKB:FBD23D1A-377F-4CD4-80F6-D224BC686AC6

HistoryOct 16, 2020 - 12:00 a.m.

CVE-2020-9934 - macOS Transparency, Consent, and Control (TCC) Framework bypass

2020-10-1600:00:00

attackerkb.com

macos tcc framework

environment variables

validation

ios 13.6

ipados 13.6

macos catalina 10.15.6

local user

sensitive information

cve-2020-9934

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

44.0%

JSON

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

Recent assessments:

busterb at August 03, 2020 10:42pm UTC reported:

Matt Shockley wrote a nice blog post, noted by @timwr and**@ccondon-r7**, on how to trivially bypass the TCC framework in MacOS by modifying the $HOME environment variable to point to an arbitrary TCC entitlement database that the attacker controls. What this means is that a post-exploitation implant will have an easy time bypassing TCC to access all files available to a user without any prompting.

However, since this is a relatively new feature in Catalina, users of earlier macOS versions were already ‘vulnerable’ simply because this feature was not available. It may be some time before users expect this to be a real security boundary on macOS, though on iOS it is definitely more of an expectation.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5