A security researcher has warned of a serious vulnerability in Apple's macOS 10.13 High Sierra which allows anyone to bypass any system authentication prompt - including the main login screen - with the username 'root' and a blank password, gaining complete control over the device.
Launched in September this year, macOS High Sierra is the latest version of what was formerly known as OS X. Available as a free upgrade to users of recent Apple devices, High Sierra introduces a range of shiny new features - and, sadly, a major security bug which leaves devices with their default configuration at serious risk of attack
First spotted by researcher Lemi Orhan Ergin and publicised via Twitter, the flaw is simple: Where an macOS High Sierra device requests a username and password, whether that's to unlock a system dialogue such as the password keyring or to log in at the main screen, entering 'root' and no password before hitting the 'Unlock' button a few times will grant you immediate and complete access with system administrator privileges.
The attack works despite, or potentially because, Apple's default setting is to disable the 'root' user account and leave it with a blank password. For some reason, the authentication system in High Sierra ignores the fact the account is disabled and allows it to be used for any purpose.
There are mitigations in place, however. If Guest Accounts are disabled - something which is only possible if you are not using the Find My Mac anti-theft feature of the operating system - attackers will be unable to pick the 'Other' option at the main login screen in order to enter the 'root' username, though privilege escalation attacks against authentication dialogues on a currently-logged-in system are still possible. If Guest Accounts are enabled, or if the user has selected to use the old-fashioned username-and-password login screen in place of its icon-based replacement, however, access is possible even from a cold boot.
The flaw is also exploitable remotely: If a macOS High Sierra system is configured to allow remote desktop access users can authenticate with the root account and take full control of the system across the network, regardless of whether or not a password is set on the main user account.
While Apple scrambles to patch the hole - which follows a similar gaffe in the company's disk encryption system, whereby a coding error allowed users to retrieve the plain-text password to unlock a disk simply by clicking the password hint button - a workaround is available: Open the Directory Utility, click the Edit menu, choose Enable Root User, click the Edit menu again, choose Change Root User Password, and enter a strong password.
April 9 2019 | 16:50