Critical macOS High Sierra Root Flaw
By Bryce Briggles on December 1, 2017
This week, a critical and baffling vulnerability has been discovered lurking within macOS High Sierra that allows users to gain full access (root) to your Mac without a password or any type of verification. Fortunately, this vulnerability only affects the newest version of macOS High Sierra (10.13).
To exploit the weakness, any user with physical access can enter “root” in the username field at any password prompt and hit Enter a couple times to gain unfettered admin access. Behind the scenes, when a user presses Enter once the root account becomes enabled with a blank password, and the second Enter successfully authenticates you.
For more information concerning the vulnerability click here.
Example Video Link.
Prevention
Nearly a day after the vulnerability was released to the public, Apple announced that a patch was now available.
For users who are unable to update to the newest version for any reason, you can enable the root user with a password to prevent exploitation:
- Open System Preferences and click Users & Groups
- Click the lock icon and enter your username and password
- Click Login Options and Join at the bottom of the screen
- Select Open Directory Utility and click the lock icon.
- Click Edit on the top of the menu bar and Enable Root User and set the password from there
This mitigation will not allow users to gain access with a blank password.
It is also a good idea to disable Guest accounts as well:
- Open System Preferences and click Users & Groups
- Click Guest User, enter your credentials, and uncheck Allow guests to log in to this computer
Sources:
https://thehackernews.com/2017/11/mac-os-password-hack.html
https://objective-see.com/blog/blog_0x24.html
Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu
-
Russia’s Cyber Strategies
Russia’s Cyber Strategies
12/2/2021 -
The Next Generation and Cyber Security
The Next Generation and Cyber Security
12/2/2021 -
Syniverse Short Message Service (SMS) Hack and Two Factor Authentication
Syniverse Short Message Service (SMS) Hack and Two Factor Authentication
12/2/2021