Apple has just released a security update for macOS High Sierra that patches the "root" vulnerability dropped yesterday. While this bug should never have shipped, Apple's response to the problem and turn around time on the fix have been impressive and reassuring.
Apple sent me the following statement:
"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS," an Apple spokesperson told iMore.When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra. We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
You can find the security update in Software Updates and if you're running macOS High Sierra, you should download and install it now, then make sure everyone you know does the same. If you don't, Apple will do it for you starting later today.
Here are the details on the patch, from Apple.com:
Security Update 2017-001Released November 29, 2017Directory UtilityAvailable for: macOS High Sierra 10.13.1Not impacted: macOS Sierra 10.12.6 and earlierImpact: An attacker may be able to bypass administrator authentication without supplying the administrator's passwordDescription: A logic error existed in the validation of credentials. This was addressed with improved credential validation.CVE-2017-13872When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
The original patch caused issues with files sharing so Apple has pushed out a new version, 17B1002, to correct the problem.
This is a zero-day exploit. Lemi Orhan Ergin tweeted to Apple's support account that he had discovered a way to log into a Mac running High Sierra by using the superuser "root" and then clicking the login button repeatedly. (Mac's running Sierra or earlier versions of the OS are not affected.)
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?— Lemi Orhan Ergin (@lemiorhan) November 28, 2017November 28, 2017
Ergin should absolutely have disclosed this to Apple and given the company a chance to patch it before it went public, and Apple should never have allowed the bug to ship, but none of that matters right now.
Here's what's important: The "root" account allows super-user access to your system. It's supposed to be disabled by default on macOS. For whatever reason, it's not on High Sierra. Instead, "root" is enabled and currently allows access to anyone without a password.
For a basic explanation of what's causing the issue, see Objective See:
- For accounts that are disabled (i.e. don't have 'shadowhash' data) macOS will attempt to perform an upgrade
- During this upgrade, od_verify_crypt_password returns a non-zero value
- The user (or attacked) specified passwor is then 'upgraded' and saved for the account
So, anybody who has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop, and enters "root" and hits login repeatedly, can gain complete access to the machine.
Apple sent me the following statement:
"We are working on a software update to address this issue," an Apple spokesperson told iMore. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
If you're comfortable with the command line, you can very quickly:
- Launch Terminal.
- Type: sudo passwd -u root.
- Enter and confirm your Root User Password. (Make it a strong, unique one!)
If not, you can use Open Directory Utility:
How to fix the root/ vulnerability on macOS High Sierra
🚨 If you're running #macOS #HighSierra, stop and do this *now* to fix the root access vulnerability.Then share it with everyone you know and make sure they do it too.📺: [Embedded]📝: https://t.co/e9sErEvKNI pic.twitter.com/9jKcV7FAXm— Rene Ritchie (@reneritchie) November 28, 2017
- Click on Apple () at the far left of the menubar.
- Click on System Preferences.
- Click on Users and Groups.
- Click on the Lock (🔒) icon.
- Enter your Password.
- Click on Login Options.
- Click on Join or Edit.
- Click on Open Directory Utility.
- Click on the Lock (🔒) icon.
- Enter your Password.
- Click on Edit in the menubar.
- Click on Enable Root User.
- Enter and confirm your Root User Password. (Make it a strong, unique one!)
Do not disable the Root User. That just blanks the password and allows the exploit to work again.
FWIW, we, @danielpunkass, and @dmoren all confirmed that if you disable the root account, the flaw resets the password to blank again.FWIW, we, @danielpunkass, and @dmoren all confirmed that if you disable the root account, the flaw resets the password to blank again.— Dan Frakes (@DanFrakes) November 28, 2017November 28, 2017
Apple needs to fix this stat. In the meantime, share this information with everyone you know who uses a Mac on High Sierra and make sure they test and validate that "root" access is blocked before you let them resume their day.
Updated to include Apple's statement and Objective See's description of the problem.
Updated to include Apple's patch and statement on the patch.
Updated to include file sharing bug in the patch, and the updated patch to fix the file sharing bug.
