Major vulnerability in Apple's macOS provides System Administrator access with few instruc...

Posted:
in macOS edited November 2017
A new security flaw in macOS High Sierra has been discovered by researchers -- one that can grant users access to the system administrator account on a target machine, enabling access to the account without requiring a password.




Posted on Twitter by software engineer Lemi Orhan Ergin, the vulnerability requires relatively few steps to accomplish, and takes advantage of a section within the System Preferences menu. AppleInsider is not publishing the full set of instructions for the sake of security, but staff tests have confirmed it to be functional, and extremely simple to follow.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

-- Lemi Orhan Ergin (@lemiorhan)


Once the few steps were performed, AppleInsider staff discovered the "root" System Administrator account on the Mac mini with macOS 10.13.1 being used for testing was enabled, despite having been previously disabled. After disabling the account, following the same instructions re-enabled the account.

The flaw exists in all versions of High Sierra, including Beta 5 that was released earlier on Tuesday.

Granting access to the System Administrator account allows users free reign to the macOS desktop, including the ability to view all files stored on the computer in all user accounts, edit the credentials of other users, and alter other settings on the device.

It is unclear if Apple was advised of the security issue before Ergin's Twitter disclosure, but his query to Apple Support asks "Are you aware of it @Apple?" suggesting no such advance warning was made.

While a major vulnerability, it still requires access to the computer either locally or with a Remote Access connection. It also needs an authorized user to be logged in to generate the Root account with no password. Disabling the Guest account provides a level of protection, by requiring users to have a presumably secure password to access the computer in the first place.

In a support page, Apple says that the Root user is not intended for routine use, with the user getting privileges that allow changes to files that are required by the Mac.

The ultimate protection against the exploit is to disable Guest access. This can be accomplished by opening up System Preferences, and turning off Allow guests to log in to this computer




To disable the Root user, select System Preferences, then click Users & Groups.

Click on the lock icon, and authenticate with an administrator's name and password. Click Login Options



Click Join or Edit.



Click Open Directory Utility, and click on the lock icon to authenticate. Pull down the Edit menu, and select Disable Root User that will be in the same place as Enable Root User.



There is no way to generate the Root account from the login screen. After disabling the Root user, unless the procedure is followed again, the computer is secured.

Alternatively, from the Directory Utility, the Root account password can be changed. This will prevent the exploit from working again but can have unintended consequences, and the invocation of Root credential entry at unexpected times.

Update: Apple subsequently issued a statement to iMore

"We are working on a software update to address the issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012M. If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the "Change the root password" section.
«13

Comments

  • Reply 1 of 44
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    liftfromthekneesgnnonidysamoria
  • Reply 2 of 44
    Fresh installation of High Sierra here. Root user was not enabled. 
    macplusplus
  • Reply 3 of 44
    Scary. Yes, this bug is real as I just tried it and enabled root with my own password. Scary scary scary... Apple will move fast on this, no?
  • Reply 4 of 44
    Mike WuertheleMike Wuerthele Posts: 4,895administrator
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    edited November 2017
  • Reply 5 of 44
    The original guy that  found this should have quietly notified Apple through the official channels for reporting vulnerabilities. If Apple had not responded in a fair amount of time - then go public. He has just exposed a lot of people to having information stolen.
    magman1979cfc
  • Reply 6 of 44
    SoliSoli Posts: 9,276member
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    So that means you can 1) disable the Guest User,  or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?
    edited November 2017
  • Reply 7 of 44
    Mike WuertheleMike Wuerthele Posts: 4,895administrator
    Soli said:
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    So taht means you can 1) Disable the Guest User and Disable Root User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?
    Yup, either works. With 1, if you have a rogue user with a login and password, the Root account can be re-generated, though.

    If you want to keep Guest active, your #2 there is the only way to go. 
  • Reply 8 of 44
    SoliSoli Posts: 9,276member
    Soli said:
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    So taht means you can 1) Disable the Guest User and Disable Root User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?
    Yup, either works. With 1, if you have a rogue user with a login and password, the Root account can be re-generated, though.

    If you want to keep Guest active, your #2 there is the only way to go. 
    Does this in any way affect rebooting a machine into Single User Mode? I've seen nothing about it, but this security issue makes me wonder if that could also be an entry point.
  • Reply 9 of 44
    Mike WuertheleMike Wuerthele Posts: 4,895administrator
    Soli said:
    Soli said:
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    So taht means you can 1) Disable the Guest User and Disable Root User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?
    Yup, either works. With 1, if you have a rogue user with a login and password, the Root account can be re-generated, though.

    If you want to keep Guest active, your #2 there is the only way to go. 
    Does this in any way affect rebooting a machine into Single User Mode? I've seen nothing about it, but this security issue makes me wonder if that could also be an entry point.
    We're still working on it, but provisionally, no. However, Root can still be generated.
  • Reply 10 of 44
    mattinozmattinoz Posts: 1,142member
    You could have put "Local" in the headline. I'm sure I'm not the only one here looking after a group of Mac for business or family who'd really appreciate direct triage information in the headline.

    Saying "Local Root vulnerability macOS High Sierra discovered". Would have let me read the article once knowing exactly how many machines are of concern and work out action needed instead of having to skim read first to pick up these important facts then read again properly to work out action.

    SpamSandwich
  • Reply 11 of 44
    lkrupplkrupp Posts: 7,318member
    Hilarious! We’re arguing about how this actually works and what to do about it. So many experts, so little expertise to confuse the issue and tie it up in knots. I decided to use iMore’s Rene Ritchie’s advice to enable root, set a strong password, and leave root enabled until the patch is made, probably in 10.13.2.
    edited November 2017 revenant
  • Reply 12 of 44
    Sigh. Apple needs to either scale their ambitions for annual MacOS releases way the fuck back, or return to an 18 month schedule. 

    — Eric “still wakes up to a kernel panic if he leaves his MBP plugged in to a Thunderbolt Display and some backup drives overnight" WVGG
    Speed1050cornchipdysamoria
  • Reply 13 of 44
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    That only works so long as no one else manages to get access to your Mac while it is either unlocked or sitting at the login screen. If your Mac doesn't have FileVault enabled, rebooting it will suffice. If you display a list of users at login, clicking "other" will let you enter "root" and no password.

    The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.

    Disabling root is not a fix. Changing root's password is a fix.
    cropr
  • Reply 14 of 44
    Mike WuertheleMike Wuerthele Posts: 4,895administrator
    macwhiz said:
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    That only works so long as no one else manages to get access to your Mac while it is either unlocked or sitting at the login screen. If your Mac doesn't have FileVault enabled, rebooting it will suffice. If you display a list of users at login, clicking "other" will let you enter "root" and no password.

    The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.

    Disabling root is not a fix. Changing root's password is a fix.
    See also: unintended consequences for Root password, especially if forgotten. Neither remediation method is perfect.

    And, you can't enter Root and login with no password at the Other screen if you haven't executed the exploit in the first place, or the Root user is disabled.

    Regarding the "triggered via AppleScript" -- lots of things can be done with social engineering. 
    edited November 2017
  • Reply 15 of 44
    Mike WuertheleMike Wuerthele Posts: 4,895administrator
    lkrupp said:
    Hilarious! We’re arguing about how this actually works and what to do about it. So many experts, so little expertise to confuse the issue and tie it up in knots. I decided to use iMore’s Rene Ritchie’s advice to enable root, set a strong password, and leave root enabled until the patch is made, probably in 10.13.2.
    That works too. DO NOT forget the password. In the meantime, some system operations may bug you for it, when you wouldn't ordinarily expect to enter it.
  • Reply 16 of 44
    SoliSoli Posts: 9,276member
    macwhiz said:
    Your instructions are incorrect. Disabling the root user doesn't help.

    https://news.ycombinator.com/item?id=15800676 says 
    "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

    You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
    Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.
    That only works so long as no one else manages to get access to your Mac while it is either unlocked or sitting at the login screen. If your Mac doesn't have FileVault enabled, rebooting it will suffice. If you display a list of users at login, clicking "other" will let you enter "root" and no password.

    The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.

    Disabling root is not a fix. Changing root's password is a fix.
    OK, I've disabled Guest Account and I have File Vault 2 enabled (both already the status quo before any of these cropped up), and then I made sure that Root User access was Disabled (no Root User password change attempted).

    Then I logged out of my Mac and typed in Root as the username with no password and nothing happened. Based on what your post says, shouldn't that have logged me in? If not, what can I type in to verify that it will bypass by system?
    edited November 2017
  • Reply 17 of 44
    DO NOT TAKE THIS ADVICE.  Turning off the Guest Account will disable Find My Mac.  Just set a password for the root user.
    lkruppdysamoria
  • Reply 18 of 44
    If Steve were here this wouldn't have ever happened! I think Tim Cook should be fired! /s
  • Reply 19 of 44
    The BUG is that a disabled root account can be enabled without a password from the UI of the Mac.

    The ONLY way to prevent this enabling of the root account is to ALREADY enable it, and give it a password.

    The average user WON'T need the root account in any case, so put the password in your password safe and LEAVE IT ENABLED.

    Yes, it's dangerous to have the root account enabled-- Mike's link above details the issues-- but because of this bug having it DISABLED is a very bad idea.

    Disabling Guest access only closes one path to the bug, it doesn't actually FIX the bug-- Enabling root access with a password actually FIXES the problem.

    Oh, one more point, my ancient Mavericks laptop doesn't show this bug.

    Why you can trust my opinion: Unix developer and administrator since 1980's, professional Mac developer/user since the 1990's

    edited November 2017 GG1cornchipapres587magman1979
  • Reply 20 of 44
    ben20ben20 Posts: 120member
    Tim Cook needs to go! I don't even update my Mac anymore, everytime there is another flaw! No excuse this time!
Sign In or Register to comment.