Vulnerability 10.13 - Root

rderewianko
Valued Contributor II

Since this is out there, and the original finder did not go through responsible disclosure. Figured i'd post it here so at least admins are aware.
https://twitter.com/lemiorhan/status/935578694541770752

Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

This works on User & Admin accounts.

That being said, if you enable root and have a password on it. You're not affected. If you don't it'll enable root and create an account.

Enabling a root password however may cause you more tech debt down the line.

82 REPLIES 82

ThijsX
Valued Contributor
Valued Contributor

NIce,

i used below article to deploy that one specific update.

https://www.jamf.com/jamf-nation/third-party-products/files/937/apple-software-update-script

musat
Contributor II

I just rebooted my Mac and the BuildVersion is now 17B1003. It looks like they re-released the patch.

Security Update 2017-001

Looks like the original patch broke other things:
https://www.engadget.com/2017/11/30/apples-high-sierra-security-patch-affected-mac-file-sharing/

Taylor_Armstron
Valued Contributor

The re-release also applies to 10.13 (vs. 10.13.1).