INFORMATION SECURITY ALERT: RISK Medium - Mac OSX High Sierra 10.13 and Greater Vulnerability

By: Jeff Gardiner

November 29, 2017

SUMMARY

Recently Apple introduced its operating system “High Sierra” which does not set by default a password for the highest privilege account “root”.  As a consequence, there is a root login vulnerability in macOS High Sierra.  Apple is aware of this as the vulnerability was actually discussed it on their Developer Forum (as a solution to another problem):

https://forums.developer.apple.com/thread/79235

HOW IT EFFECTS US

Anyone running this Operating System has a fundamentally insecure machine as anyone who knows that the root password is not set can escalate privilege on the machine effectively compromising the machine.  That said, a person must have either direct access to the machine OR virtual desktop access.  Western blocks Virtual Access technology so in our environment (at least) the threat of network compromise is being managed.

http://money.cnn.com/2017/11/28/technology/macos-high-sierra-bug/

PROBLEM SIMPLY EXPLAINED

No root (or Administrator) password means anyone can control the machine; installing software, key logging, copying screen shots etc.   Western Technology Service’s helpdesk has conducted tests and confirm that this exploit is as simple as logging in without a password.  After trying this in System Preferences Western staff were able to login as root.

https://www.macrumors.com/2017/10/05/apple-releases-macos-high-sierra-10-13-supplemental-update/

REMEDIATION

  1. Install Mac supplemental update: https://support.apple.com/en-ca/HT201222
  2. Set Root password: https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/

For additional details contact WTS helpdesk or security@uwo.ca.


Published on  and maintained in Cascade CMS.