Apple MacOS High Sierra flaw: anyone can gain entry without the use of a password

Discussion in 'Apple and Mac OS X' started by hmscott, Nov 29, 2017.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,692
    Messages:
    13,733
    Likes Received:
    15,961
    Trophy Points:
    931
    Apple rushes to resolve ‘huge’ password glitch on its new operating system
    • A major flaw in the way the MacOS High Sierra operates means that anyone can gain entry to a computer without the use of a password
    • Warnings about the bug were shared by computing experts such as Edward Snowden, who described Apple's operating system as "really bad" on Tuesday
    • While Apple works on permanently fixing the problem, the tech giant offered a workaround for users concerned about any possible ramifications on its website
    https://www.cnbc.com/2017/11/29/app...uge-password-glitch-on-macos-high-sierra.html



    Apple's High Sierra allows root with no password, there's a workaround to help
    Security experts warn the public not to try and test the issue locally or remotely, as there is a risk of increasing the attack surface.
    https://www.csoonline.com/article/3...-no-password-theres-a-workaround-to-help.html
    Earlier this afternoon on Twitter, a developer posted a screenshot and reported it was possible to obtain root access on Apple's High Sierra without a password.

    [Note: Apple has released a fix for this issue, calling it a "logic error". Please note, once the patch is applied, if you need the root user you will need to re-enable that account and change its password. All previous updates are below.]

    Several users recreated this issue on their own systems, including a staffer here at IDG. However, as problematic as this issue is, the workaround is rather easy.

    The issue was first reported by Lemi Orhan Ergin, a developer in Istanbul, Turkey. In his initial tweet, directed to Apple, he explained the issue fully, which allowed others to confirm the problem on their own systems.

    the problem was confirmed, even as a standard user, and that creating new administrators resulted in the ability to disable the firewall and file vault, enable sharing, remote logins, and more.

    The issue discovered in High Sierra is a bad one, but there is a workaround that seems to solve the issue. Enable the root user account with a strong password.

    Apple recommends that the root user be disabled after a password is set, which is solid advice in the long run, especially if the account isn't needed (hint: it isn't).

    At this point, it's not clear if High Sierra is the only OS affected. Internal testing here at IDG couldn't reproduce the issue on anything other than High Sierra.

    including VNC and Apple Remote Desktop. This was confirmed shortly after the public started looking at the bug by various researchers.

    Another important note comes from researchers at Bugcrowd. Those testing (exploiting) the problem locally will open themselves up to remote attack. Especially via Screen Sharing.

    "By testing this vulnerability on your own computer, you'll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop," explained Bugcrowd's Keith Hoodlet, Trust and Security Engineer.

    "By testing this vulnerability on your own system, you remove existing safeguards around the root (i.e. God-mode) user - enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service."

    Apple says they're working on a software update to address the issue, and is directing users to a support document explaining how to enable root and set a secure password. [Apple has released a fix, you can find that here if you missed the link above.]

    We'll keep updating this story as new information emerges.

    Update:
    Rob Fuller, also known as Mubix, has some sound advice for those who are enabling and setting a root password in order to deal with today's problems. Randomize them, since you won't actually need the account.

    [​IMG]

    While the original command with echo will work for some, others may need the code below:

    cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 60 | xargs -I rootpw sudo dscl . -passwd /Users/root rootpw

    Update 2:
    There has been a bit of a debate after Tuesday's disclosure. Those in the Responsible Disclosure camp disagree with how the issue was brought to Apple's attention, namely in a public tweet. However, the root password bug was being suggested on Apple's Developer Forums as a helpful tip earlier this month. [Archive Link]

    Update 3 (The issue is bigger than a blank password):
    Hours after the internet first learned about the High Sierra flaw that leaves the root account exposed (Apple has promised a fix), one security researcher has discovered the issue is far more serious than a blank password.

    In fact, researchers who have been scanning the internet might have accidentally created a wider attack surface and left users exposed. The video below explains.

    So, if anyone is scanning the internet and trying to make connections to exposed Apple boxes, stop.

    "You are setting the root password to every machine you authenticate to, as a blank password or whatever you choose to put into the password field," security researcher Tom Ervin explains.

    Doing so may make things harder for Apple to address all of these compromised systems.

    "How are they going to know the difference between a system somebody has intentionally set the password for, and a system that somebody has exploited this vulnerability on and set the password for that user?" Ervin asked.

    Again, it is critical that a password for the root user be set. For the scenario shown in this video, a password for the root account seems to address the flaw and prevent remote exploitation. It's also wise to disable Apple Remote Desktop.

    Ervin is continuing to research other attack surfaces, and we’ll update as his work progresses.

    Update 4 (Apple has released a fix, update your systems):
    Apple has released Security Update 2017-001 to address what they call a "logic flaw" that allowed the abuse of the root user account locally and in some cases, remotely. All macOS users are encouraged to install the patch immediately.

    After the patch is installed, if the root user is required (it shouldn't be), the account will need to be re-enabled and have its password reset. Additional details are in Apple's advisory.

    [This story was updated to include links to Apple's documentation, and to mention that they reccomend deactivating the root user account once a password is set.]
     
    Last edited: Nov 29, 2017
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,692
    Messages:
    13,733
    Likes Received:
    15,961
    Trophy Points:
    931
    Apple issues quick fix for macOS High Sierra ‘root’ security bug
    Update High Sierra NOW!

    https://www.macworld.com/article/32...admin-access-to-your-macbut-theres-a-fix.html

    "Update 11/29/17: Apple has released an official fix for the issue via a security update. You can install the update by launching the App Store app, and then click on Updates. Press Command-R to reload the Updates page to see new updates. It will appear as “Security Update,” and you can click on the Update button to install it. Your Mac does not need to restart.

    If you have problems with file sharing after installing the update, here are instructions on repairing file sharing."

    Apple issued the following statement to Macworld:

    Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

    When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

    We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.


    For previous info from that article, please go to the MacWorld article link:
    https://www.macworld.com/article/32...admin-access-to-your-macbut-theres-a-fix.html
     
    Vasudev likes this.
Loading...

Share This Page