Major vulnerability in Apple's macOS provides System Administrator access with few instruc...
A new security flaw in macOS High Sierra has been discovered by researchers -- one that can grant users access to the system administrator account on a target machine, enabling access to the account without requiring a password.
Posted on Twitter by software engineer Lemi Orhan Ergin, the vulnerability requires relatively few steps to accomplish, and takes advantage of a section within the System Preferences menu. AppleInsider is not publishing the full set of instructions for the sake of security, but staff tests have confirmed it to be functional, and extremely simple to follow.
Once the few steps were performed, AppleInsider staff discovered the "root" System Administrator account on the Mac mini with macOS 10.13.1 being used for testing was enabled, despite having been previously disabled. After disabling the account, following the same instructions re-enabled the account.
The flaw exists in all versions of High Sierra, including Beta 5 that was released earlier on Tuesday.
Granting access to the System Administrator account allows users free reign to the macOS desktop, including the ability to view all files stored on the computer in all user accounts, edit the credentials of other users, and alter other settings on the device.
It is unclear if Apple was advised of the security issue before Ergin's Twitter disclosure, but his query to Apple Support asks "Are you aware of it @Apple?" suggesting no such advance warning was made.
While a major vulnerability, it still requires access to the computer either locally or with a Remote Access connection. It also needs an authorized user to be logged in to generate the Root account with no password. Disabling the Guest account provides a level of protection, by requiring users to have a presumably secure password to access the computer in the first place.
In a support page, Apple says that the Root user is not intended for routine use, with the user getting privileges that allow changes to files that are required by the Mac.
The ultimate protection against the exploit is to disable Guest access. This can be accomplished by opening up System Preferences, and turning off Allow guests to log in to this computer
To disable the Root user, select System Preferences, then click Users & Groups.
Click on the lock icon, and authenticate with an administrator's name and password. Click Login Options
Click Join or Edit.
Click Open Directory Utility, and click on the lock icon to authenticate. Pull down the Edit menu, and select Disable Root User that will be in the same place as Enable Root User.
There is no way to generate the Root account from the login screen. After disabling the Root user, unless the procedure is followed again, the computer is secured.
Alternatively, from the Directory Utility, the Root account password can be changed. This will prevent the exploit from working again but can have unintended consequences, and the invocation of Root credential entry at unexpected times.
Update: Apple subsequently issued a statement to iMore
"We are working on a software update to address the issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012M. If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the "Change the root password" section.
Posted on Twitter by software engineer Lemi Orhan Ergin, the vulnerability requires relatively few steps to accomplish, and takes advantage of a section within the System Preferences menu. AppleInsider is not publishing the full set of instructions for the sake of security, but staff tests have confirmed it to be functional, and extremely simple to follow.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
-- Lemi Orhan Ergin (@lemiorhan)
Once the few steps were performed, AppleInsider staff discovered the "root" System Administrator account on the Mac mini with macOS 10.13.1 being used for testing was enabled, despite having been previously disabled. After disabling the account, following the same instructions re-enabled the account.
The flaw exists in all versions of High Sierra, including Beta 5 that was released earlier on Tuesday.
Granting access to the System Administrator account allows users free reign to the macOS desktop, including the ability to view all files stored on the computer in all user accounts, edit the credentials of other users, and alter other settings on the device.
It is unclear if Apple was advised of the security issue before Ergin's Twitter disclosure, but his query to Apple Support asks "Are you aware of it @Apple?" suggesting no such advance warning was made.
While a major vulnerability, it still requires access to the computer either locally or with a Remote Access connection. It also needs an authorized user to be logged in to generate the Root account with no password. Disabling the Guest account provides a level of protection, by requiring users to have a presumably secure password to access the computer in the first place.
In a support page, Apple says that the Root user is not intended for routine use, with the user getting privileges that allow changes to files that are required by the Mac.
The ultimate protection against the exploit is to disable Guest access. This can be accomplished by opening up System Preferences, and turning off Allow guests to log in to this computer
To disable the Root user, select System Preferences, then click Users & Groups.
Click on the lock icon, and authenticate with an administrator's name and password. Click Login Options
Click Join or Edit.
Click Open Directory Utility, and click on the lock icon to authenticate. Pull down the Edit menu, and select Disable Root User that will be in the same place as Enable Root User.
There is no way to generate the Root account from the login screen. After disabling the Root user, unless the procedure is followed again, the computer is secured.
Alternatively, from the Directory Utility, the Root account password can be changed. This will prevent the exploit from working again but can have unintended consequences, and the invocation of Root credential entry at unexpected times.
Update: Apple subsequently issued a statement to iMore
"We are working on a software update to address the issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012M. If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the "Change the root password" section.
Comments
https://news.ycombinator.com/item?id=15800676 says
"You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."
You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.
Saying "Local Root vulnerability macOS High Sierra discovered". Would have let me read the article once knowing exactly how many machines are of concern and work out action needed instead of having to skim read first to pick up these important facts then read again properly to work out action.
— Eric “still wakes up to a kernel panic if he leaves his MBP plugged in to a Thunderbolt Display and some backup drives overnight" WVGG
The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.
Disabling root is not a fix. Changing root's password is a fix.
Then I logged out of my Mac and typed in Root as the username with no password and nothing happened. Based on what your post says, shouldn't that have logged me in? If not, what can I type in to verify that it will bypass by system?
The ONLY way to prevent this enabling of the root account is to ALREADY enable it, and give it a password.
The average user WON'T need the root account in any case, so put the password in your password safe and LEAVE IT ENABLED.
Yes, it's dangerous to have the root account enabled-- Mike's link above details the issues-- but because of this bug having it DISABLED is a very bad idea.
Disabling Guest access only closes one path to the bug, it doesn't actually FIX the bug-- Enabling root access with a password actually FIXES the problem.
Oh, one more point, my ancient Mavericks laptop doesn't show this bug.
Why you can trust my opinion: Unix developer and administrator since 1980's, professional Mac developer/user since the 1990's