Login Sign Up

CVE-2017-13908

7.8 HIGH

📋 TL;DR

This vulnerability allows a local attacker to execute non-executable text files via an SMB share on macOS systems. The issue involves improper file permission handling that could lead to arbitrary code execution. Affected systems include macOS High Sierra, Sierra, and El Capitan before specific security updates.

💻 Affected Systems

Products:
  • macOS
Versions: macOS High Sierra 10.13, macOS Sierra, OS X El Capitan before security updates
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SMB sharing to be enabled or accessible. Systems with SMB disabled are not vulnerable.

📦 What is this software?

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise and persistent backdoor installation.

🟠

Likely Case

Local attacker gains unauthorized code execution with user-level privileges on vulnerable systems.

🟢

If Mitigated

No impact if systems are fully patched or SMB sharing is disabled.

🌐 Internet-Facing: LOW - Requires local network access via SMB, not directly internet exploitable.
🏢 Internal Only: HIGH - Internal attackers with network access to SMB shares can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local network access and ability to interact with SMB shares. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, Security Update 2017-004 El Capitan

Vendor Advisory: https://support.apple.com/en-us/HT208144

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install available security updates. 3. Restart the system when prompted.

🔧 Temporary Workarounds

Disable SMB Sharing

macOS

Disable SMB file sharing to prevent exploitation via network attack vector.

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist

Restrict SMB Access

macOS

Configure firewall to restrict SMB access to trusted networks only.

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/sbin/smbd

🧯 If You Can't Patch

  • Disable SMB file sharing completely on affected systems
  • Implement network segmentation to isolate vulnerable systems from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check macOS version: if running High Sierra 10.13, Sierra, or El Capitan without security updates, system is vulnerable.

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is 10.13.1 or later for High Sierra, or confirm Security Update 2017-001/004 is installed.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SMB connection attempts
  • Failed authentication attempts on SMB shares
  • Execution of unexpected text files via SMB

Network Indicators:

  • Unusual SMB traffic patterns
  • SMB connections from unexpected sources
  • File transfers followed by execution attempts

SIEM Query:

source="*smbd*" AND (event="authentication_failure" OR event="file_execution")

📊 Metadata

CVE ID: CVE-2017-13908
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: December 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON