Help

Vulnerability 10.13 - Root

rderewianko
Valued Contributor II

Posted on ‎11-28-2017 12:33 PM

Since this is out there, and the original finder did not go through responsible disclosure. Figured i'd post it here so at least admins are aware.
https://twitter.com/lemiorhan/status/935578694541770752

Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

This works on User & Admin accounts.

That being said, if you enable root and have a password on it. You're not affected. If you don't it'll enable root and create an account.

Enabling a root password however may cause you more tech debt down the line.

82 REPLIES 82

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎11-29-2017 01:19 PM

NIce,

i used below article to deploy that one specific update.

https://www.jamf.com/jamf-nation/third-party-products/files/937/apple-software-update-script

musat
Contributor III

Posted on ‎11-30-2017 06:14 AM

I just rebooted my Mac and the BuildVersion is now 17B1003. It looks like they re-released the patch.

Security Update 2017-001

Looks like the original patch broke other things:
https://www.engadget.com/2017/11/30/apples-high-sierra-security-patch-affected-mac-file-sharing/

Taylor_Armstron
Valued Contributor

Posted on ‎11-30-2017 06:29 AM

The re-release also applies to 10.13 (vs. 10.13.1).

0 Kudos