Attack Chain

1. A local attacker gains access to a macOS High Sierra (10.13) system.
2. The attacker opens Disk Utility.app.
3. The attacker initiates the process of mounting an encrypted APFS volume.
4. The system prompts the attacker for the password to unlock the volume.
5. The attacker clicks the ‘Show Hint’ button in the password prompt dialog.
6. Instead of the intended password hint, the system displays the actual password for the encrypted volume in plain text.
7. The attacker uses the displayed password to unlock and mount the encrypted APFS volume.
8. The attacker gains full access to all data stored within the decrypted APFS volume.

Impact

Successful exploitation of CVE-2017-7149 results in the unauthorized disclosure of the password for an encrypted APFS volume. A local attacker can leverage this to bypass encryption, mount the volume, and gain access to all sensitive data stored within. This vulnerability impacts macOS High Sierra (10.13) users who utilize encrypted APFS volumes for data protection. The number of affected users is unknown, but the potential for data compromise is significant for any user relying on APFS encryption on the affected operating system version.

Recommendation

• If running an unpatched macOS High Sierra (10.13) system, upgrade to a patched version to remediate CVE-2017-7149.
• Enable system integrity protection (SIP) to make debugging and tampering with system processes more difficult for attackers.
• Monitor for suspicious activity involving Disk Utility.app, specifically attempts to mount or access encrypted APFS volumes. Deploy the Sigma rule to detect unusual process execution patterns related to Disk Utility.app.
• Audit existing APFS volumes for password hints that may contain sensitive information due to this vulnerability.