Report to see who has installed today’s fix for the root vulnerability?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-29-2017 08:27 AM
What’s the best way to do this. Apple pushed out the fix just now. How can I tell which of my Macs has installed it?
- Labels:
-
Inventory (OS X)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 07:51 AM
Not sure if it's been mentioned elsewhere already, but in case not, the 10.13.x patch (Build 17B1003 for 10.13.1, Build 17A501 for 10.13.0) can be downloaded from here https://support.apple.com/kb/DL1943?viewlocale=en_US&locale=en_US
The pkg itself is labeled "macOSUpd10.13Supplemental.pkg" as opposed to yesterday's earlier version which was "macOSUpd10.13.1Supplemental.pkg"
I'll be testing it out shortly on some 10.13.x systems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 08:25 AM
@mm2270 When I run that second package on a 10.13.1 device with 17B1002, I get the following error:
This package runs fine on 10.13.0 but doesn't change the build version at all. It does appear to change the opendirectyd utility as described here: https://support.apple.com/en-gb/HT208315.
I've created an EA (see below) based on the above link to check the version number of opendirectoryd since the inventory doesn't collect this information. I have created a FR for this though.
#!/bin/sh
# note: the " " before PROGRAM below is a tab, not a space.
VERSION=`what /usr/libexec/opendirectoryd | grep " PROGRAM" | awk '{print $2}' | sed 's/PROJECT:opendirectoryd-//g'`
echo "<result>$VERSION</result>"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 08:33 AM
If you've noticed that you are unable to add admin accounts after this update without a reboot, and you have some kind of support agreement with Apple, or want to file a RADAR, please do. This seems to be news to them based on our interactions and I think more customers reporting the issue will help them get it on their… radar?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 08:33 AM
So I run the update software policy on a 10.13.1 computer and it updated the computer to build 17B1003. Then had the policy run a couple more times and it acts like the computer is up to date. From what I understand 17B1003 should fix the root issue. But I can still use root sans password to unlock admin rights. Am I missing something here?
Here is a link to my video.
[https://photos.app.goo.gl/TloVSLBHkr2vZIXy2](link URL)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 08:59 AM
@lpadmin, if you tried out the bug previously, I think it enabled root with a blank password. I don't think the update addresses that, just the bug that allowed it to happen. So you might be testing it now and it works because the root account is active, not because of the escalation bug.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 09:10 AM
@alexjdale The article for the fix implies the opposite:
"If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 09:14 AM
Ah yeah, you are right about that. I'd consider that to be a problem then, but we're pushing root password changes because this can't happen again, ever. Or else it's shame on me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 09:25 AM
@PhillyPhoto Thanks for the follow up. It looks like I was mistaken. The "10.13Supplemental" patch seems to be ONLY for 10.13.0 systems and yesterday's "10.13.1Supplemental" is ONLY for 10.13.1 systems, just as the names actually imply. I was under the impression the 10.13 one would work for both, but it does not. I just tried installing it on an un-patched 10.13.1 machine and I get the same error.
Running yesterday's 10.13.1Supplemental patch on it works though.
It updated the Build on my 10.13.1 test Mac to 17B1002. I have to see if I have a 10.13.0 machine I can access to run the patch against to see how the build reflects afterward.
I don't know why Apple wasn't able to issue a single patch to handle both versions of the OS, but oh well. I get the distinct impression this entire thing was seriously rushed out the door.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 10:20 AM
Happening to me too...<expletive expletive>!!
I've filed a ticket with Enterprise Support to add our names to the list...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 10:38 AM
UPDATE - Support got back to me right away, saying 1. they're tracking the issue, and 2. You can fix it by rebooting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2017 10:49 AM
Yeah, I can confirm that a reboot is needed to get back the ability to create admin accounts in the GUI. I just get a System Preferences error and it exits out of Sys Prefs otherwise. It's only a GUI issue though. You can still create an admin user using sysadminctl
FWIW.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-01-2017 07:10 AM
This will check it for sure:
#!/bin/bash
openDV=$(what /usr/libexec/opendirectoryd)
isRUI=$(echo $openDV | grep -c 'opendirectoryd-483.1.5')
isRUIP1=$(echo $openDV | grep -c 'opendirectoryd-483.20.7')
if [[ $isRUI -gt 0 ]]; then
echo "Root security update IS installed"
elif [[ $isRUIP1 -gt 0 ]]; then
echo "Root update IS installed"
else
echo "Root update missing, please update immediately!"
fi
exit 0
Hope that helps.