Critical macOS High Sierra bug allows easy root access
If you’re using a Mac, and are running macOS High Sierra, drop everything that you’re doing and go and apply this update.
Why? What’s happening?
Turkish software developer Lemi Orhan Ergin dropped a bombshell yesterday – unauthorized users can gain root access to machines running High Sierra by simply logging in as “root” and not entering a password:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The trick can apparently be used both on a locked and unlocked Mac – IF the root password hasn’t already been set (it isn’t by default).
How does it work?
In the case of a locked machine, the attacker needs to chose “Other…” on the login screen, and enter “root” as user and an empty password (or any password, see update below) and hit “Enter” a couple of times. (The trick may not work for some.)
On an unlocked machine, the attacker can access the option via System Preferences > Users & Groups, then click the lock in the lower left corner to make changes, then type in “root” in the username field, click on the password box but leave it blank, and press the Unlock button.
And, as it turns out, someone already noticed the bug two weeks ago:
Perhaps nobody noticed two weeks ago when the root login vulnerability in macOS High Sierra was shared as a helpful tip on Apple’s own Developer forums. https://t.co/P44gEId25d pic.twitter.com/sOiRt8j2X7
— Mike Myers (@fristle) November 29, 2017
Whether someone at Apple saw that particular post or not is unknown, but the company has reacted to Ergin’s Tweet by asking for more information. Later, a spokesperson confirmed the existence of the problem.
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac,” the spokesperson explained.
“To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Can the bug be exploited remotely?
It was thought initially that only an attacker with physical access to the target machine can exploit this bug.
But, as it turns out, the vulnerability can be exploited remotely if Screen Sharing is enabled.
Keith Hoodlet, Trust and Security Engineer at Bugcrowd, advises caution if you’re testing this vulnerability on your own computer:
“You’ll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop. You remove existing safeguards around the root user – enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.”
Rod Soto, Director of Research at JASK, says that the vulnerability is alarming because it makes it seamless for someone to log into a system as root.
“While there are other methods that can provide bad actors with access and password reset capabilities via physical access, these require some technical knowledge and time. The severity of this is how simple and quick anyone can execute the method and log in to reset and access user information even if their passwords are complicated,” he noted.
“With the granted controls, they can also install backdoors and disable any other protections on the device. However, it is expected that every corporate department that issues these types of devices would add passwords to root accounts as standard operating procedure.”
So far, the vulnerability seems to be present only macOS High Sierra 10.13.0, 10.13.1, and macOS High Sierra 10.13.2 beta.
Update: Wednesday, 29 November 2017, 1:55 AM PT
Security researcher Tom Ervin warns against scanning the internet and trying to make connections to exposed Apple boxes, and testing the vulnerability with a blank password:
Everyone. Please, the MacOS “blank root password” vulnerability has nothing to do with a blank password. The first time someone tries to log in as root, whatever password they try becomes the password for root. DO NOT test with a blank password. SET A STRONG ROOT PASSWORD NOW.
— Tom Ervin (@techbytom) November 29, 2017
“If people are using an empty password for root to test/recreate this vuln – they may be making the system vulnerable, possibly even after Apple issues a patch,” he noted.
Update: Wednesday, 29 November 2017, 9:15 AM PT: The article has been updated to link to the Apple update.
Update: Saturday, 2 December 2017, 13:50 AM PT: It seems that the update that fixes the root vulnerability has a bug, making it fail if you update to the most recent version of the OS (High Sierra 10.13.1) after you’ve implemented it, and you don’t reboot your machine.