• Forums
  • Shop
  • iPhone 13
  • AirPods Deals
  • iPad Deals
  • Best Apple Watch

We may earn a commission for purchases using our links. Learn more.

  1. Home
  2. /
  3. Help & How To
  4. /
  5. macOS
Security

macOS High Sierra 'root' security bug: Here's how to fix it now!

Apple has patched a critical flaw has been discovered in macOS High Sierra that let an attacker log in as 'root' by leaving the password field blank and trying multiple times in a row.
Rene Ritchie
28 Nov 2017

macOS has a critical 'root' security bug — what you need to do right now

Apple has just released a security update for macOS High Sierra that patches the "root" vulnerability dropped yesterday. While this bug should never have shipped, Apple's response to the problem and turn around time on the fix have been impressive and reassuring.

Apple sent me the following statement:

"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS," an Apple spokesperson told iMore.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra. 

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

You can find the security update in Software Updates and if you're running macOS High Sierra, you should download and install it now, then make sure everyone you know does the same. If you don't, Apple will do it for you starting later today.

Here are the details on the patch, from Apple.com:

Security Update 2017-001

Released November 29, 2017

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator's password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

The original patch caused issues with files sharing so Apple has pushed out a new version, 17B1002, to correct the problem.

This is a zero-day exploit. Lemi Orhan Ergin tweeted to Apple's support account that he had discovered a way to log into a Mac running High Sierra by using the superuser "root" and then clicking the login button repeatedly. (Mac's running Sierra or earlier versions of the OS are not affected.)

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

Ergin should absolutely have disclosed this to Apple and given the company a chance to patch it before it went public, and Apple should never have allowed the bug to ship, but none of that matters right now.

Here's what's important: The "root" account allows super-user access to your system. It's supposed to be disabled by default on macOS. For whatever reason, it's not on High Sierra. Instead, "root" is enabled and currently allows access to anyone without a password.

For a basic explanation of what's causing the issue, see Objective See:

  • For accounts that are disabled (i.e. don't have 'shadowhash' data) macOS will attempt to perform an upgrade
  • During this upgrade, od_verify_crypt_password returns a non-zero value
  • The user (or attacked) specified passwor is then 'upgraded' and saved for the account

So, anybody who has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop, and enters "root" and hits login repeatedly, can gain complete access to the machine.

Apple sent me the following statement:

"We are working on a software update to address this issue," an Apple spokesperson told iMore. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

If you're comfortable with the command line, you can very quickly:

  1. Launch Terminal.
  2. Type: sudo passwd -u root.
  3. Enter and confirm your Root User Password. (Make it a strong, unique one!)

If not, you can use Open Directory Utility:

How to fix the root/ vulnerability on macOS High Sierra

🚨 If you're running #macOS #HighSierra, stop and do this *now* to fix the root access vulnerability.

Then share it with everyone you know and make sure they do it too.

📺: [Embedded]

📝: https://t.co/e9sErEvKNI pic.twitter.com/9jKcV7FAXm

— Rene Ritchie (@reneritchie) November 28, 2017
  1. Click on Apple () at the far left of the menubar.
  2. Click on System Preferences.
  3. Click on Users and Groups.
  4. Click on the Lock (🔒) icon.
  5. Enter your Password.
  6. Click on Login Options.
  7. Click on Join or Edit.
  8. Click on Open Directory Utility.
  9. Click on the Lock (🔒) icon.
  10. Enter your Password.
  11. Click on Edit in the menubar.
  12. Click on Enable Root User.
  13. Enter and confirm your Root User Password. (Make it a strong, unique one!)

Do not disable the Root User. That just blanks the password and allows the exploit to work again.

FWIW, we, @danielpunkass, and @dmoren all confirmed that if you disable the root account, the flaw resets the password to blank again.

— Dan Frakes (@DanFrakes) November 28, 2017

Apple needs to fix this stat. In the meantime, share this information with everyone you know who uses a Mac on High Sierra and make sure they test and validate that "root" access is blocked before you let them resume their day.

Updated to include Apple's statement and Objective See's description of the problem.

Updated to include Apple's patch and statement on the patch.

Updated to include file sharing bug in the patch, and the updated patch to fix the file sharing bug.

macOS Big Sur

Main

  • macOS Big Sur Review
  • macOS Big Sur FAQ
  • Updating macOS: The ultimate guide
  • macOS Big Sur Help Forum

We may earn a commission for purchases using our links. Learn more.

Nintendo recap: Sega's Sonic plans and Pokémon fan pays tribute to OG art
From the Editor's desk

Nintendo recap: Sega's Sonic plans and Pokémon fan pays tribute to OG art

Three additional games found their way onto Nintendo Switch Online this week. Plus, we're in the final stretch before the 3DS and Wii U eShops no longer accept purchases of any kind. There's even more Nintendo news, so let's dive in.

Review: Eliminate Wi-Fi dead zones on all your Apple devices at once
WiFi winning

Review: Eliminate Wi-Fi dead zones on all your Apple devices at once

WiFi dead zones and spotty internet signal at home can be wildly frustrating. With the rockspace AX1800 Router and Extender you can improve internet reliability overall and eliminate WiFi dead zones for your Apple devices.

Review: Secretlab's TITAN Evo 2022 is probably the best gaming chair ever
TITAN evo

Review: Secretlab's TITAN Evo 2022 is probably the best gaming chair ever

Secretlab's TITAN Evo is its 2022 offering. It's an awesome upgrade on its 2020 model and the perfect gaming chair for any gamer.

Keep an eye on the front door with the best HomeKit video doorbells
Ding-dong!

Keep an eye on the front door with the best HomeKit video doorbells

HomeKit video doorbells are a great way to keep an eye on those precious packages at your front door. While there are just a few from which to choose, these are the best HomeKit options available.

Keep in Touch

Sign up now to get the latest news, deals & more from iMore!

I would like to receive news and offers from other Future brands.

I would like to receive mail from Future partners.

No spam, we promise. You can unsubscribe at any time and we'll never share your details without your permission.

  • Help & How To
  • macOS High Sierra
Rene Ritchie

Rene Ritchie

Rene Ritchie has been covering personal technology for a decade. Former editor-in-chief of iMore and Editorial Director for Mobile Nations, he specializes in Apple and related technologies, news analysis and insight. Follow him @reneritchie on Twitter, Instagram, watch his videos on YouTube, and visit him on the web at reneritchie.net.

  • iPhone
  • iPad
  • Apple Watch
  • Mac
  • Apple TV
  • Reviews
  • How To
  • HomeKit
  • Forums

Other Categories

  • About Us
  • Newsletter
  • Fitness
  • Apps
  • Gaming
  • Deals
  • Advertising Inquiries
  • Licensing and Reprints
  • Accessibility Statement
  • Android Central
  • Windows Central
  • Thrifter
  • TechnoBuffalo
  • MrMobile
Log in or Sign up
  • t
  • f
  • y
  • i
  • r

Brightness

  • © Future US, Inc.
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • About Us
  • Careers
  • Licensing
  • External Links Disclosure
  • Accessibility Statement
  • © Future US, Inc.
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • About Us
  • Careers
  • Licensing
  • External Links Disclosure
  • Accessibility Statement