Apple released an emergency update that fixed a critical bug affecting the High Sierra operating system, specifically in the APFS volume management system. . According to security reports and the company a bug allowed the passwords to be revealed via the password hint feature.
Emergency Patch Fixes Apple’s High Sierra Password Bug (CVE-2017-7149)
The bug is tracked in the CVE-2017-7149 security advisory and features a severe vulnerability in the way the new APFS file system is implemented. The problem is found on the way the password hint is handled. Once it is configured by the user the password itself is stored as a plain text string.
The discovery was made by Matheus Mariano, a security researcher while he was interacting with a new encrypted volume in a APFS container. He opted to create a password together with the hint. When the new container was mounted and the password prompt activated, the password was revealed in the hint field. During the investigation it has been revealed that the issue affects only Mac computers and laptops equipped with SSD drives.
The released patch solves another issue with Apple’s operating system as well. Recently High Sierra was impacted by a vulnerability that allowed plaintext passwords to be dumped from the keychain. It is suspected that the problem also exists in previous versions like El Capitan and Sierra. The security researchers state that the showcased problems present a low barrier to entry once an intrusion point is detected in target machines.
The Mac OS X keychain is one of the most important security components in the operating system and is directly responsible for the authentication process. It provides an encrypted container that holds the system user account credentials, as well as passwords and strings used for applications and online services. Recent versions contain the ability to store sensitive data as well including: payment card data, banking PIN’s and other credentials.
The accompanying keychain access component is the password management software that handles the keychain components by automating the credentials input. The description that accompanies the CVE-2017-7149 security advisory reads the following:
If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints
It is recommended that all Mac OS X users apply the update immediately to protect themselves from abuse.