Vulnerability in Mac OSX High Sierra 10.13 and Greater
Update: Apple released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password. The update was automatically installed on all systems running the latest version (10.13.1) or greater of Mac OS High Sierra. For more information, please click here.
A security flaw has been detected in Mac operating systems (OSX) High Sierra 10.13 and greater. This vulnerability allows anyone to login to a Mac device and change administrative settings by typing in the username "root" with no password.
Current Solution:
- Apple is working on a permanent software fix for the issue. Until further notice, Apple has issued the following statement: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Systems at Risk:
Currently, this vulnerability is only detected in users with a Mac OS that has been upgraded to High Sierra 10.13 or greater.
- Systems with local console access, such as shared usage computers in teaching or lab environments, where users of shared computers are not privileged with root access.
- Systems with Apple Remote Desktop (ARD) enabled.
Systems Not at Risk:
- Mac OS's prior to High Sierra 10.13 or greater.
- Systems using SSH (Secure Shell).
Recommended Actions:
The following are recommended actions for those Mas OSX High Sierra 10.13 or greater users:
- A possible fix is to create a root account, then set a password and leave it enabled. Instructions can be found here: https://support.apple.com/en-us/HT204012.
- If you do not have the latest Mac OS, do not upgrade to High Sierra 10.13 or greater until a patch is made available.
More Information:
