CVE-2014-4432

Vulnerability

fdesetup in Apple OS X before 10.10 does not properly display the encryption status in between a setting-update action and a reboot action [1]. This means that after a user initiates an encryption-related setting change (for example, enabling FileVault full-disk encryption) but before the system is rebooted, the status shown by fdesetup may misleadingly indicate that encryption is fully active and protecting data, even though the change requires a reboot to take effect. Affected versions are all OS X releases prior to Yosemite 10.10 [1].

Exploitation

An attacker with physical proximity to the affected device can take advantage of this bug [1]. No special network access or authentication is required beyond being able to physically access the machine. The attack hinges on the user’s ignorance of the reboot requirement: after the user applies an encryption setting (such as enabling FileVault) but before they reboot, the attacker can gain access to the system while it is still running and read cleartext data from the filesystem that the user believed to be encrypted [1].

Impact

Successful exploitation leads to disclosure of cleartext data that the user expected to be protected by encryption [1]. The attacker does not gain persistent code execution or elevated system privileges beyond what physical access provides; the impact is limited to information disclosure of unencrypted files on the disk before the required reboot completes the encryption process [1].

Mitigation

Users should upgrade to OS X Yosemite v10.10 or later, which includes the fix [1]. As a workaround, users are advised to always reboot immediately after making any encryption setting change via fdesetup to ensure the intended encryption state is fully applied. No workaround exists for systems that remain on an unpatched version. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog.