CVE-2014-4430

Vulnerability

CoreStorage in Apple OS X before 10.10 retains a volume's encryption keys when the volume is ejected while in the unlocked state. This affects all versions prior to OS X Yosemite v10.10. The bug resides in the CoreStorage volume management component, which does not properly discard cryptographic material upon ejection.

Exploitation

An attacker with physical access to the system can exploit this by ejecting an unlocked encrypted volume and then remounting it. Because the encryption keys are still retained in memory, the remount operation can bypass the need for the user's password, granting access to the cleartext data without authentication.

Impact

Successful exploitation allows a physically proximate attacker to read the contents of an encrypted CoreStorage volume without knowing the encryption passphrase. This results in a complete compromise of confidentiality for data stored on that volume.

Mitigation

Apple addressed this issue in OS X Yosemite v10.10 [1]. Users should upgrade to OS X 10.10 or later. No workaround is available for earlier versions; the only mitigation is to ensure volumes are fully unmounted (not just ejected) or to power off the system before physical access is possible.