Jamf Nation Community

lpadmin · ‎12-05-2017

My student computers are currently on 10.11 and I was about to roll out 10.13 until the root issue showed up. Upgrading them to 10.13 and then having to push out another update to fix the root issue leaves too much of a window open for students to take advantage of the issue. Is there a way I can push out a fix while they are on 10.11 before updating them to 10.13?

Any help is greatly appreciated.

lpadmin · ‎12-07-2017

I can confirm that pushing out 10.13.2 from the app store comes patched. So I will be pushing this out to upgrade students computers.

View solution in original post

systems_support · ‎12-05-2017

My enrolled 10.13 machines don't exhibit the flaw, I'm guessing because the enrollment settings apply a root password. I was only able to exhibit the flaw on non-enrolled machines. I would suggest testing on a non-prod machine.

lpadmin · ‎12-05-2017

@mhamlin That is what i was hoping, I updated 10 test computers and all of them had the flaw once updated to 10.13.

systems_support · ‎12-05-2017

Perhaps disabling the root user would work? Worth a try...

http://osxdaily.com/2015/02/19/enable-disable-root-command-line-mac/

lpadmin · ‎12-05-2017

@mhamlin So I created script that would disable root and pushed it out to a 10.12 computer. Then I updated it to 10.13 and I was able to just type root sans password and it gave me root access. So unfortunately that did not work.

AVmcclint · ‎12-05-2017

Has anyone checked to see if the Installer downloaded from the Mac App Store today provides a fully patched 10.13.1 yet? Maybe we'll have to wait for 10.13.2 for the fully patched installer?

Look · ‎12-05-2017

Disabling root won't fix the issue, the bug is that root gets enabled when it attempts authentication and the default password is empty.
Forcing a root password will stop it being exploitable unless you know the password (which you could randomise if you scripted it for example).

scottb · ‎12-05-2017

@AVmcclint - I did an internet recovery on a new 2017 MBP last night and it still needed the update. Odd, but guessing it's coming in 10.13.2 as you suggested.

"release-notes" = "Security Update 2017-001 is recommended for all users and improves the security of macOS.

For more information on the security content of this update see http://support.apple.com/kb/HT201222.
";

remyb · ‎12-06-2017

I'd say push a root password before upgrading to 10.13, that should solve your problem.

lpadmin · ‎12-06-2017

10.13.2 is now available in the app the store. I am going to upgrade a computer with and see what happens.

lpadmin · ‎12-07-2017

I can confirm that pushing out 10.13.2 from the app store comes patched. So I will be pushing this out to upgrade students computers.

Jamf Nation Community

Update to 10.13 and avoid Root issue