CVE-2004-0622

Vulnerability

Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory or use mlock() to prevent swapping of sensitive data. The loginwindow.app, Keychain, and FileVault processes leave plaintext passwords in memory, which may be written to swap files without being zeroed. The issue affects the handling of login passwords, Keychain passwords, and FileVault encryption passphrases. [1]

Exploitation

An attacker with root access on an active system can read swap files (e.g., /var/vm/swapfile0) and extract plaintext passwords using string search tools (e.g., strings -8). For physical access, pulling power from a sleeping machine without a proper shutdown allows retrieval of un-wiped swap files from disk. No authentication or additional privileges beyond local root or physical access are required. [1]

Impact

Successful exploit allows the attacker to obtain plaintext passwords for the user's login, Keychain, and FileVault, defeating the protection offered by those encryption mechanisms. This is a confidentiality breach at the system level, as the attacker gains persistent credential material. [1]

Mitigation

Apple never released a patch for this issue. The vulnerability remains unaddressed in the affected versions (10.3.4, 10.4, 10.5). No workaround is documented in the available references. Administrators should consider disabling swap or using full-disk encryption on root volumes to reduce exposure. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]