CVE-2017-13887

Vulnerability

In macOS High Sierra before 10.13.2, a logic issue existed in the Apple File System (APFS) implementation that caused encryption keys not to be securely deleted from memory during hibernation [1]. The flaw affects APFS volumes with encryption enabled on macOS High Sierra 10.13.1 and earlier, specifically when the system enters hibernation mode.

Exploitation

An attacker with physical access to the Mac or access to a memory dump (such as through a cold boot attack or forensic analysis) could potentially recover the APFS encryption keys from hibernation images [1]. No user interaction beyond the system entering hibernation is required; the keys remain in memory when they should have been securely deleted before the system powers down.

Impact

Successful exploitation could lead to disclosure of APFS encryption keys, compromising the confidentiality of data on encrypted APFS volumes [1]. This undermines the protections guaranteed by FileVault full-disk encryption on macOS High Sierra.

Mitigation

Apple addressed this issue in macOS High Sierra 10.13.2, released on December 6, 2017 [1]. Users should update to macOS High Sierra 10.13.2 or later. No workaround is available for earlier versions; the only mitigation is installing the security update.