CCE-50146-0Platform: cpe:/o:apple:mac_os_13 | Date: (C)2024-04-17 (M)2024-04-17 |
In order to use a computer with Full Disk Encryption (FDE), macOS must keep encryption keys in memory to allow the use of the disk that has been FileVault protected. The storage volume has been unlocked and acts as if it were not encrypted. When the system is not in use, the volume is protected through encryption.
When the system is sleeping and available to quickly resume, the encryption keys remain in memory. If an unauthorized party has possession of the computer and the computer is only slept, there are known attack vectors that can be attempted against the RAM that has the encryption keys or the running operating system protected by a login screen.
Network attacks if network interfaces are on, as well as USB or other open device ports, are possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high level of sophistication if all the other controls function as intended.
Impact:
The laptop will take additional time to resume normal operation if only sleeping rather than hibernating. Touch ID will not be available when waking from hibernate. Setting hibernatemode to 25 will disable the "always-on" feature of the Apple Silicon
Macs.
Rationale:
To mitigate the risk of data loss, the system should power down and lock the encrypted drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.
Audit:
Terminal Method:
Run the following command to verify sleep settings:
$ /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -e MacBook
If there is an output, run the following:
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e "^ sleep"
The output should be sleep with a value ≤ 15.
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep -e "displaysleep"
The output should be displaysleep with a value ≤ 10 and ≤ the value of sleep.
$ /usr/bin/sudo /usr/bin/pmset -b -g | /usr/bin/grep hibernatemode
hibernatemode 25
Parameter:
[System_sleep_timer_in_minutes, Display_sleep_timer_in_minutes, hibernate_mode_value]
Technical Mechanism:
Remediation:
Terminal Method:
Run the following command to set the sleep time and hibernate mode:
$ /usr/bin/sudo /usr/bin/pmset -a sleep value less than or equal to 10
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep value less than or equal to 15 and value of sleep
$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.8 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:99065 |