A critical security flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The consequences could be serious. Anyone having physical access to the system can log in to your user account, unlock your keychain and reveal your passwords, turn off FileVault, OS X’s disk encryption program Or can create their own user. The vulnerability was publicly disclosed on Twitter. The vulnerability has been assigned CVE-2017-13872.
Vulnerability:
The security bug can be triggered via the authentication dialog box in Apple’s operating system, which prompts you for an administrator’s username and password when you need to do any changes in system preference (System Preferences > Users & Groups). In order to get full access, attacker would just need to type in “root” as the username, leave the password box blank, click “unlock” twice.
It seems that on November 13, someone on an Apple developer forum disclosed the very vulnerability. A video demonstration can be found here.
Apple confirmed the problem and issued the following statement.
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
This bug can be triggered via the command line also. This will allow malware and malicious apps to silently grab root privileges on High Sierra macOS.
osascript -e 'do shell script "id" with administrator privileges user name "root" password ""'
We also observed that an attacker can log into system even if the root account is disabled. The first attempt to log in as root enables the root user account with no password and the second attempt gives root access.
Mitigation:
Apple has addressed this issue in Security Update 2017-001. We request organization to patch their machines with this update. In order to quickly look for the vulnerable assets, customers can use query “operatingSystem:”MacOS X 17″ in Qualys AssetView, or customers can run Policy Compliance Control CID 12203 (Status of the Operating System (OS) product version on the host) to identify the vulnerable host versions. Customers can use “QID#370664 Apple macOS High Sierra Authentication Bypass Vulnerability (APPLE-SA-2017-11-29-1)” to identify the vulnerable assets in their environment. If immediate update is not possible, users are advised to set a strong password for the root account. The password status can be checked with Policy Compliance control CID 12202 (Status of the password set for the ‘root’ account).
Please continue to follow ThreatProtect for more coverage on this vulnerability.