Apple MacOS root access flaw

November 29, 2017
apple macos security

20 hours ago, Lemi Orhan Ergin, a software craftsman from Turkey, tweeted Apple to draw the latter’s attention to a security issue. It was not a vulnerability that required advanced skills to exploit.

Yes, one could simply enter the user name root without any password at the login prompt of MacOS High Sierra and administrative access would be granted. Users from a Unix background are familiar with the term root1 superuser. It’s akin to Microsoft Windows administrator if that makes it simpler for non-Unix, non-Linux, non-MacOS users.

The hours that followed resulted in a social network frenzy with users confirming that they indeed got superuser access following Lemi’s instructions. The news spread online from Twitter to Reddit2, WIRED3, Computer World4, CNET5, Business Insider6 and many more. I’m sure you can find the stories elsewhere written in various flavours.

I’m not a Mac user and I do not have a MacOS High Sierra within reach in order to reproduce the root access flaw. However, my developer colleague and friend Sandeep Ramgolam tested it and posted a video on his Twitter account.

Quick Fix

I imagine you’re like jaws dropped in astonishment, uncertainty, amusement and perhaps even fear. You’re surely wondering how to fix it, whether Apple has reacted and released a patch yet, etc? The good news is that a quick workaraound is as simple as setting a password for the root account. Until Apple patches the flaw, a strong root password could save you from unnecessary trouble by annoying classmates, colleagues, etc who have fun posting from other people’s computers.

At the time of writing this blog post there was still no reaction from Apple. In fact, if you’d be curious enough and would want to tag Apple in Tweets, know that Apple has not ever tweeted. 🤔

Apple Twitter account

Update

CVE-2017-13872 was assigned to macOS High Sierra with the following description7;

An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.

Apple published8 Security Update 2017-001.

Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

Reuters9 reported Apple saying that it would audit its software development process.

  1. How to enable the root user on your Mac or change your root password? [return]
  2. Anyone can login as “root” with empty password on MacOS High Sierra [return]
  3. Apple MacOS High Sierra security flaw lets anyone get root access, No Password Required [return]
  4. What to do about Apple’s shameful Mac security flaw? [return]
  5. How to fix the MacOS High Sierra password bug? [return]
  6. There’s an embarrassing and dangerous security hole in the latest Mac software (AAPL) [return]
  7. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13872 [return]
  8. https://support.apple.com/en-us/HT208315 [return]
  9. Reuters: Apple to audit development processes after Mac bug discovered [return]

Related

linux.com website compromised?

December 7, 2017
linux wordpress security

IBM to withdraw support for TLS 1.0 and 1.1

November 29, 2017
ibm security

Can the MNIC really combat identity fraud?

March 25, 2017
mauritius security privacy