CVE-2017-13887 – This macOS vulnerability allows attackers to by... (How to Fix)

Q: What is the severity of CVE-2017-13887?

CVE-2017-13887 has a CVSS score of 7.5 (HIGH). This macOS vulnerability allows attackers to bypass authentication and gain root access to systems without a password. It affects macOS High Sierra systems before version 10.13.2. The flaw exists in APFS file system logic during hibernation state management.

📋 TL;DR

This macOS vulnerability allows attackers to bypass authentication and gain root access to systems without a password. It affects macOS High Sierra systems before version 10.13.2. The flaw exists in APFS file system logic during hibernation state management.

💻 Affected Systems

Products:

macOS

Versions: macOS High Sierra versions before 10.13.2

Operating Systems: macOS High Sierra

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using APFS file system (default for High Sierra). Systems with FileVault enabled may provide additional protection.

📦 What is this software?

Mac Os X by Apple

View all CVEs affecting Mac Os X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing installation of persistent malware, data theft, and full control of the affected system.

🟠

Likely Case

Local privilege escalation allowing attackers with physical or remote desktop access to bypass authentication and gain administrative privileges.

🟢

If Mitigated

Limited impact if systems are fully patched, use strong authentication controls, and restrict physical access to sensitive systems.

🌐 Internet-Facing: LOW - This is primarily a local authentication bypass requiring physical or remote desktop access to exploit.

🏢 Internal Only: MEDIUM - Internal attackers with physical access or remote desktop capabilities could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple exploit requiring physical access or remote desktop control. Demonstrated publicly with easy-to-follow steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS High Sierra 10.13.2 or later

Vendor Advisory: https://support.apple.com/HT208331

Restart Required: Yes

Instructions:

1. Open System Preferences 2. Click Software Update 3. Install macOS High Sierra 10.13.2 or later update 4. Restart the system when prompted

🔧 Temporary Workarounds

Enable FileVault

macos

Full disk encryption adds additional authentication layer that may prevent exploitation

sudo fdesetup enable

Disable Automatic Login

macos

Prevents automatic bypass of login screen

sudo defaults write /Library/Preferences/.GlobalPreferences com.apple.userspref.DisableAutoLogin -bool YES

🧯 If You Can't Patch

Restrict physical access to vulnerable systems
Disable remote desktop/SSH access to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check macOS version: if running High Sierra and version is less than 10.13.2, system is vulnerable

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is 10.13.2 or later and attempt authentication bypass using known exploit methods

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful root access
Unexpected authentication events in system.log

Network Indicators:

Unusual remote desktop connections to vulnerable systems

SIEM Query:

source="system.log" AND ("root" OR "authentication") AND "failed" AND "successful"

📊 Metadata

CVE ID: CVE-2017-13887

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-320

Published: January 11, 2019

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/HT208331 Vendor Advisory
https://support.apple.com/HT208331 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-13887, you might also want to check these: