Update to 10.13 and avoid Root issue

lpadmin
Contributor

My student computers are currently on 10.11 and I was about to roll out 10.13 until the root issue showed up. Upgrading them to 10.13 and then having to push out another update to fix the root issue leaves too much of a window open for students to take advantage of the issue. Is there a way I can push out a fix while they are on 10.11 before updating them to 10.13?

Any help is greatly appreciated.

1 ACCEPTED SOLUTION

lpadmin
Contributor

I can confirm that pushing out 10.13.2 from the app store comes patched. So I will be pushing this out to upgrade students computers.

View solution in original post

10 REPLIES 10

systems_support
New Contributor

My enrolled 10.13 machines don't exhibit the flaw, I'm guessing because the enrollment settings apply a root password. I was only able to exhibit the flaw on non-enrolled machines. I would suggest testing on a non-prod machine.

lpadmin
Contributor

@mhamlin That is what i was hoping, I updated 10 test computers and all of them had the flaw once updated to 10.13.

systems_support
New Contributor

Perhaps disabling the root user would work? Worth a try...

http://osxdaily.com/2015/02/19/enable-disable-root-command-line-mac/

lpadmin
Contributor

@mhamlin So I created script that would disable root and pushed it out to a 10.12 computer. Then I updated it to 10.13 and I was able to just type root sans password and it gave me root access. So unfortunately that did not work.

AVmcclint
Honored Contributor

Has anyone checked to see if the Installer downloaded from the Mac App Store today provides a fully patched 10.13.1 yet? Maybe we'll have to wait for 10.13.2 for the fully patched installer?

Look
Valued Contributor III

Disabling root won't fix the issue, the bug is that root gets enabled when it attempts authentication and the default password is empty.
Forcing a root password will stop it being exploitable unless you know the password (which you could randomise if you scripted it for example).

scottb
Honored Contributor

@AVmcclint - I did an internet recovery on a new 2017 MBP last night and it still needed the update. Odd, but guessing it's coming in 10.13.2 as you suggested.

"release-notes" = "Security Update 2017-001 is recommended for all users and improves the security of macOS.

For more information on the security content of this update see http://support.apple.com/kb/HT201222.
";

remyb
Contributor

I'd say push a root password before upgrading to 10.13, that should solve your problem.

lpadmin
Contributor

10.13.2 is now available in the app the store. I am going to upgrade a computer with and see what happens.

lpadmin
Contributor

I can confirm that pushing out 10.13.2 from the app store comes patched. So I will be pushing this out to upgrade students computers.