External volumes encrypted using the Apple File System are logging decryption passwords in plain text, and Apple has yet to fix the problem.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A newly discovered bug in the Apple Disk Utility is revealing APFS-encrypted drive passwords in plain text in the system's unified log.
- The latest version of High Sierra has fixed the flaw, but it is still possible to find the password in plain text for APFS volumes that were encrypted after creation.
Discovered by forensic analyst Sarah Edwards of Mac4n6, the bug originates with the Apple Disk Utility when using the Apple File System (APFS) to encrypt a drive.
More specifically, the incarnation of the bug discovered by Edwards affects macOS High Sierra 10.13.1. A variation of it does exist, and systems all the way up to 10.13.3 (the latest version) are vulnerable.
How to grab a plain-text password in macOS High Sierra
Edwards discovered the bug while creating a new APFS-formatted, FileVault-encrypted drive. Using a terminal command to scan her Mac's unified log for events with the drive's name in them, she turned up a line with the drive's password visible, completely unencrypted.
The command that showed the password in the log was the newfs_apfs argument that actually created the drive, complete with the password showing under the -S option, which sets a password for an encrypted drive.
All a theoretical attacker would need to do to steal the password to an APFS-encrypted drive under this bug would be to gain access to the unified log on a target machine, search for event messages that contain a drive's name, and find the right line.
Finding the password in newer versions of High Sierra
Edwards points out that the bug doesn't work the same way in the 10.13.2 and 10.13.3 versions of macOS High Sierra, but she was still able to find a way to extract the password in plain text in these newer versions.
SEE: IT leader's guide to big data security (Tech Pro Research)
The newer versions of macOS restrict the bug to APFS drives that were originally created as unencrypted and are later encrypted using the macOS Disk Utility.
Finding the password for previously unencrypted volumes only takes a trip to the command line, this time searching for any event messages that contain "newfs_", the command for creating an encrypted volume. Scan the log for a bit and the encryption password shows right up.
Is this a security risk?
The passwords for both the newer bug and the more exploitable one in macOS 10.13.1 are stored in on-disk, non-volatile logs, Edwards points out, so they're going to stick around for a while.
Exploitability of the bug is somewhat narrow, especially considering that newer versions of the bug only affect volumes that were encrypted after creation. Users of older versions of macOS should be wary, especially if regularly creating external APFS-formatted encrypted volumes. Choosing a different drive format should also be considered.
macOS users should upgrade to the latest version of High Sierra as soon as possible to limit the effectiveness of this potentially serious bug.
- 10 Terminal commands to speed your work on the Mac (free PDF) (TechRepublic)
- Ex-NSA hacker drops macOS High Sierra zero-day hours before launch (ZDNet)
- Apple macOS High Sierra: The smart person's guide (TechRepublic)
- Something is rotten at Apple (ZDNet)
- Flaw in macOS High Sierra gives anyone root access, and here's the fix (TechRepublic)