Full Report
Recently Apple patched a vulnerability (CVE-2020-3919) in IOHIDFamily in their security update 10.15.4 which may allow a malicious application to execute arbitrary code with kernel privileges. It turns out this bug also affected iOS too.
Analysis Summary
As requested, here is the summary of the vulnerability information structured for clarity and actionability.
# Vulnerability: IOHIDFamily Uninitialized Kernel Memory Use
## CVE Details
- CVE ID: CVE-2020-3919
- CVSS Score: Not specified in the provided text. (Likely High due to Kernel RCE potential)
- CWE: CWE-416 (Use After Free) or CWE-908 (Use of Uninitialized Memory) - Indicated by uninitialized memory use leading to control over kernel memory.
## Affected Systems
- Products: Apple macOS (IOHIDFamily), Apple iOS (IOHIDFamily)
- Versions: Affected versions include those prior to macOS 10.15.4 and prior iOS updates.
- Configurations: Triggered via a malicious application making specific calls to the IOKit driver, utilizing `IOConnectSetNotificationPort`.
## Vulnerability Description
The vulnerability resides in the `IOHIDLibUserClient::registerNotificationPortGated` function within the IOHIDFamily kernel extension. This flaw allows an attacker to trigger the use of uninitialized kernel memory (`fValidMessage`).
Specifically, if an invalid or NULL Mach port is passed to `registerNotificationPort` (when `type` is `kIOHIDLibUserClientDeviceValidPortType`), the code allocates memory for `fValidMessage` but does **not** initialize it if a subsequent check for `!fValidPort` causes an early exit. During the subsequent cleanup/closing sequence (`IOHIDLibUserClient::setValid(false)`), the uninitialized pointer stored in `fValidMessage` can be used (e.g., freed via `IOFree`), leading to an arbitrary memory write primitive controlled by the attacker in kernel space, potentially leading to arbitrary code execution with kernel privileges.
## Exploitation
- Status: PoC available (Proof-of-Concept script provided using `iokitlib` to call `ioconnect_setnotificationport` with an invalid port).
- Complexity: Low (Local application only, simplified PoC provided).
- Attack Vector: Local (Requires execution of a malicious application on the target system).
## Impact
- Confidentiality: High (Kernel privileges allow access to all system memory and data).
- Integrity: High (Kernel privileges allow modification of system state and data).
- Availability: High (Kernel crash resulting in system denial of service).
## Remediation
### Patches
- macOS: Patched in security update **10.15.4**.
- iOS: Patched in the corresponding security update for iOS.
### Workarounds
- No specific vendor-provided workarounds were mentioned in the text, but generally, restricting application execution rights or employing kernel-level integrity controls would serve as temporary mitigation until patching.
## Detection
- Indicators of compromise: Unusual memory allocation patterns within the `IOHIDFamily` driver or unexpected calls/crashes referencing IOKit notification handling functions.
- Detection methods and tools: Kernel debugging tools or runtime integrity monitoring capable of tracing system call interactions with IOKit services may reveal the suspicious calls leading up to the crash or exploitation attempt.
## References
- Vendor Advisory (macOS): `https://support.apple.com/en-gb/HT211100` (Defanged)
- Vendor Advisory (iOS): `https://support.apple.com/en-gb/HT211102` (Defanged)
- Research Writeup: `https://alexplaskett.github.io/` (Defanged)