Report to see who has installed today’s fix for the root vulnerability?

john_sherrod
Contributor II

What’s the best way to do this. Apple pushed out the fix just now. How can I tell which of my Macs has installed it?

51 REPLIES 51

mm2270
Legendary Contributor II

Not sure if it's been mentioned elsewhere already, but in case not, the 10.13.x patch (Build 17B1003 for 10.13.1, Build 17A501 for 10.13.0) can be downloaded from here https://support.apple.com/kb/DL1943?viewlocale=en_US&locale=en_US

The pkg itself is labeled "macOSUpd10.13Supplemental.pkg" as opposed to yesterday's earlier version which was "macOSUpd10.13.1Supplemental.pkg"

I'll be testing it out shortly on some 10.13.x systems.

PhillyPhoto
Contributor III

@mm2270 When I run that second package on a 10.13.1 device with 17B1002, I get the following error:

44bd8c0a03be40dcb70148ef3e07d6fa

This package runs fine on 10.13.0 but doesn't change the build version at all. It does appear to change the opendirectyd utility as described here: https://support.apple.com/en-gb/HT208315.

I've created an EA (see below) based on the above link to check the version number of opendirectoryd since the inventory doesn't collect this information. I have created a FR for this though.

#!/bin/sh
# note: the " " before PROGRAM below is a tab, not a space.
VERSION=`what /usr/libexec/opendirectoryd | grep " PROGRAM" | awk '{print $2}' | sed 's/PROJECT:opendirectoryd-//g'`

echo "<result>$VERSION</result>"

emily
Valued Contributor III
Valued Contributor III

If you've noticed that you are unable to add admin accounts after this update without a reboot, and you have some kind of support agreement with Apple, or want to file a RADAR, please do. This seems to be news to them based on our interactions and I think more customers reporting the issue will help them get it on their… radar?

lpadmin
Contributor

So I run the update software policy on a 10.13.1 computer and it updated the computer to build 17B1003. Then had the policy run a couple more times and it acts like the computer is up to date. From what I understand 17B1003 should fix the root issue. But I can still use root sans password to unlock admin rights. Am I missing something here?

Here is a link to my video.

[https://photos.app.goo.gl/TloVSLBHkr2vZIXy2](link URL)

alexjdale
Valued Contributor III

@lpadmin, if you tried out the bug previously, I think it enabled root with a blank password. I don't think the update addresses that, just the bug that allowed it to happen. So you might be testing it now and it works because the root account is active, not because of the escalation bug.

PhillyPhoto
Contributor III

@alexjdale The article for the fix implies the opposite:

"If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update."

alexjdale
Valued Contributor III

Ah yeah, you are right about that. I'd consider that to be a problem then, but we're pushing root password changes because this can't happen again, ever. Or else it's shame on me.

mm2270
Legendary Contributor II

@PhillyPhoto Thanks for the follow up. It looks like I was mistaken. The "10.13Supplemental" patch seems to be ONLY for 10.13.0 systems and yesterday's "10.13.1Supplemental" is ONLY for 10.13.1 systems, just as the names actually imply. I was under the impression the 10.13 one would work for both, but it does not. I just tried installing it on an un-patched 10.13.1 machine and I get the same error.
Running yesterday's 10.13.1Supplemental patch on it works though.

It updated the Build on my 10.13.1 test Mac to 17B1002. I have to see if I have a 10.13.0 machine I can access to run the patch against to see how the build reflects afterward.

I don't know why Apple wasn't able to issue a single patch to handle both versions of the OS, but oh well. I get the distinct impression this entire thing was seriously rushed out the door.

chris_kemp
Contributor III

Happening to me too...<expletive expletive>!!

I've filed a ticket with Enterprise Support to add our names to the list...

chris_kemp
Contributor III

UPDATE - Support got back to me right away, saying 1. they're tracking the issue, and 2. You can fix it by rebooting.

mm2270
Legendary Contributor II

Yeah, I can confirm that a reboot is needed to get back the ability to create admin accounts in the GUI. I just get a System Preferences error and it exits out of Sys Prefs otherwise. It's only a GUI issue though. You can still create an admin user using sysadminctl FWIW.

cddwyer
Contributor

This will check it for sure:

#!/bin/bash
openDV=$(what /usr/libexec/opendirectoryd)
isRUI=$(echo $openDV | grep -c 'opendirectoryd-483.1.5')
isRUIP1=$(echo $openDV | grep -c 'opendirectoryd-483.20.7')
if [[ $isRUI -gt 0 ]]; then
    echo "Root security update IS installed"
elif [[ $isRUIP1 -gt 0 ]]; then
    echo "Root update IS installed"
else
    echo "Root update missing, please update immediately!"
fi

exit 0

Hope that helps.