CVE-2020-27908: 
macOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2020-27908) was discovered in Apple's CoreAudio component. The vulnerability was fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1, iOS 14.2 and iPadOS 14.2, watchOS 7.1, and tvOS 14.2. The vulnerability was reported by an anonymous researcher working with Trend Micro Zero Day Initiative along with JunDong Xie and Xingwei Lin of Ant Security Light-Year Lab (Apple Security).

The vulnerability is an out-of-bounds read issue in the AudioCodecs module that occurs when processing maliciously crafted audio files. The flaw was assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability was addressed by implementing improved input validation (ZDI Advisory, NVD).

Processing a maliciously crafted audio file could lead to arbitrary code execution on affected systems. The vulnerability could allow attackers to execute code in the context of the current process (ZDI Advisory).

Apple has released security updates to address this vulnerability in multiple operating systems: macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1, iOS 14.2 and iPadOS 14.2, watchOS 7.1, and tvOS 14.2. Users should update their systems to the latest available versions (Apple Security).