CVE-2020-9768: PoC released for use-after-free/type confusion vulnerability in Apple iOS

On March 24, Apple released security advisory HT211102 to announce the release of iOS 13.4. One of the issues patched with this update was CVE-2020-9768, a use-after-free/type confusion vulnerability in AppleJPEGDriverUserClient.

On March 25, security research Mohamed Ghannam (@_simo36) posted a tweet indicating that the description Apple published for CVE-2020-9768 was not accurate, noting that “this is a Kernel bug in AppleJPEGDriverUserClient”. In the tweet, Ghannam linked to a Github repository containing a proof-of-concept (PoC) for triggering the vulnerability of which he was credited with disclosing to Apple.

According to the text within the PoC, this flaw is a use-after-free/type confusion flaw via race condition during the processing of a jpeg image. Based on the description from Apple it does appear that this bug would be limited to a local exploit, though arbitrary code execution with system privileges is potentially possible.

We encourage users to apply the security update to address this CVE, and several additional vulnerabilities patched in iOS 13.4, including remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities as noted in the security advisory from Apple. A list of Tenable plugins to identify this vulnerability will appear here as they’re released.