macOS High Sierra Available—And Vulnerable to Keychain Attack

Researcher Patrick Wardle has discovered a critical vulnerability that allows an attacker to dump passwords in plaintext from the macOS Keychain. The vulnerability is in macOS High Sierra, Sierra and El Capitan, and has yet to be patched.

Apple made its latest OS update available Monday, but the release of High Sierra was tainted somewhat by the fact it comes replete with a critical vulnerability that allows an attacker to dump plaintext passwords from the macOS Keychain.

Researcher Patrick Wardle, chief security researcher at Synack, discovered the issue in early September and privately disclosed to Apple. The disclosure, however, did not preclude Apple from making High Sierra public yesterday. Wardle said in a post published yesterday that he expects a patch to be forthcoming.

The vulnerability is not exclusive to High Sierra; Wardle said he also tested it on Sierra, and that it appears El Capitan is vulnerable also.

Wardle did not provide specific information on the vulnerability, other than to say that non-privileged code or a malicious application could gain illicit access to the Keychain and steal passwords. He said the bar is set low in terms of ease of exploit.

Wardle emphasized too that an attacker would already have to be on a Mac machine in order to carry out his attack, and that the Keychain would have to be unlocked, which it is by default when the user logs in.

“Theoretically, this attack would be added as a capability or as a payload of such malware,” Wardle wrote. “For example, the malware would persist, survey the system, then use this attack to dump the keychain.”

The macOS Keychain is a critical security component for authentication. It’s an encrypted container that stores system usernames and passwords as well as credentials for applications and web-based services. It can also stored payment card data, banking PINs and other credentials. Accompanying Keychain is Keychain Access, a password management application that stores credentials in the keychain, saving the user from having to enter them over and over on the web.

Wardle said that while apps can have access to Keychain data, they should not have access to the entire system.

“Obviously random apps should not be able to access the entire keychain and dump things like plaintext passwords. In fact, even signed Apple utilities (i.e. /usr/bin/security) that are designed to legitimately access the keychain explicitly require user approval or most authenticate (with the user’s password) before they are allowed to retrieve sensitive keychain data,” Wardle wrote. “This of course is very wise security decision on Apple’s part.”

Wardle recommends that users be extra vigilant about running random applications from email and the web, in particular until a patch is available.

Wardle said his disclosure earlier this month included a proof-of-concept exploit.

Apple said in a statement provided to Threatpost: “macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”

Yesterday’s High Sierra release also included patches for 43 vulnerabilities, including several code execution and denial of service bugs. Apple also made public yesterday security releases for macOS Server 5.4 and iCloud for Windows 7.0.

Suggested articles