IT / MIS / Engineering

Major Security Flaw in macOS High Sierra Allows Full Root/Admin Access Without Requiring A Password

 

It appears that macOS High Sierra (v10.13.0 & 10.13.1) has a major security bug.

While I only just heard about this a few minutes ago, based on my testing so far, it appears that what’s happening specifically is that any attempt to authenticate as the “root” user will initially fail (as it should, as macOS by default, ships with the root account both disabled, and without any password set, for security reasons).

However, in High Sierra currently, when that first authentication attempt fails, for some reason, the root user is being enabled.  Worse yet, it’s being enabled, while it is yet to have a root password set… so the net result ends up being that, any attempt to authenticate as the root user (via Login Window, admin settings padlock unlocking, or wherever), will fail the first try, and then from that point on, you can successfully authenticate as the root user by leaving the password field empty.

Username root, with no password, allows full admin/root access to the system… and since this is an issue with the operating system’s authentication process itself (rather than a bug in a particular application or service’s implementation of the authentication process), the security flaw can be exploited anywhere!  The Finder, unlocking admin System Preferences, the command line, and even any enabled services that are accessible remotely (i.e. Screen Sharing, File Sharing, or SSH) are all vulnerable and potential attack vectors, making the potential implications, and seriousness of this flaw hard to overstate.

This is a big enough deal I’m sure that Apple will release an update very soon, but, in the meantime.  You can mitigate your vulnerability by taking the actions shown below.

 

Take Action:

While this doesn’t actually fix the OS bug that inappropriately enables the root account, if you follow the steps below, you can safeguard your system from being exploited by it.

The screenshot pictures contain text instructions in addition to their visual guides:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Update:

Jon Jewett
November 30, 2017 at 8:37 PM

‘Gotta give them credit. Apple patched this flaw fast. Anyone running macOS High Sierra v10.13.0 or 10.13.1, can simply open the Mac App Store application, click on the “Updates” tab (all the way to the right), and a Security Update (named: Security Update 2017-001) will appear, along with the message to “Install this update as soon as possible.”

More information about the update, including steps to verify that the flaw was patched after running the update, can be found at: https://support.apple.com/en-us/HT208315

 

 

Update:

Jon Jewett
December 4, 2017 at 2:17 PM

Ok… so, maybe the “credit” I gave Apple for their fast response with the security patch was premature… While it’s true that whenever there’s a problem or software bug of some kind with an Apple product or service, it seems to me that the whole internet/blogosphere gets a little hyperbolic in its criticism and framing of the issue’s significance, but, in this case, its hard to imagine a more devastating, and fundamental security flaw.

Not only that, but it now appears that Apple posted “fix” has a few not insignificant issues of it’s own.

It seems it breaks File Sharing for some users (via: https://9to5mac.com/2017/11/29/how-to-fix-macos-file-share/). Ok, a forgivable error for such an important patch… However, it now seems that if a system running macOS v10.13.0 applies the security patch, a subsequent OS update to v10.13.1 will undo the fix, returning the system to it’s previously, terribly flawed state, and require patching all over again (via: https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/).

I’m sure the massive success (sales, popularity, and profit) of the iPhone/iOS product line, and the fact that it absolutely dwarfs Apple’s Mac/macOS line plays some part in problems like this… but really, it’s hard not to start questioning their current practice of doing a major OS rev every single year now.

Call me crazy, but Mac OS X Tiger’s long life (there were eleven point updates!) had it poised as a mature, stable culmination of Apple’s OS X operating system up to that point. Then, major feature additions (and underlying architectural changes) were introduced in OS X Leopard. It went through it’s own maturing process, and then, when it was time for the next major OS revision, they unveiled OS X Snow Leopard. A refocusing, and doubling down on making the existing feature-set absolutely rock solid. In fact, a reasonable argument could be made for Snow Leopard being a high point in performance and reliability that macOS hasn’t achieved since.

And no, High Sierra is not a similar release (at least in any way other than it’s marketing). I think I remember it being likened to Snow Leopard during its WWDC introduction, but I think the association was made simply because of the lack of flashy user-facing feature additions. However, instead of forgoing new features to work hard on refining and hardening the existing OS, High Sierra is making radical, under-the-hood architectural changes, and at their current clip of major OS revisions rev’ing annually… it’s hard to have confidence that this will be a one-time thing.

 

 

Update:

Jon Jewett
December 5, 2017 at 11:14 AM

The guys over at “Objective-See” did a fantastic job fully deconstructing #iamroot, and explaining exactly what went wrong, how, and why. Definitely worth a read for developer/engineer/sysadmin types: https://objective-see.com/blog/blog_0x24.html

 

Leave a Reply

Your email address will not be published. Required fields are marked *