InfoSec Blog - A “root” account on macOS with no password, really?

November 29, 2017

As the saying goes: “Because it’s 2017!”  Well, in this case it should be: “Isn’t it 2017?”

You may have seen the announcement yesterday, (Nov 28, 2017) or one of the many follow-on articles regarding a new vulnerability in macOS High Sierra (10.13). Essentially the vulnerability is that under some circumstances, a userid called “root” can be logged in with no password.  Why is this a problem?  Well, “root” is an administrative super-account with all administrative privileges on a computer.  It is a fundamental part of Unix operating systems, which became part of macOS when Apple decided to build upon, and incorporate Unix* features in its Operating System since about 2000.  Security folks are scratching their heads on how this got past testing.

How big is the problem?

Well, sizable.  Getting “root” or admin access is the Holy Grail of any hacking attempt, and on a vulnerable system, this is trivial if you have local access.  It is unclear to what extent the vulnerability is remotely exploitable.  Under default installation, it isn’t vulnerable, but if you have remote access enabled, it well could be. Older versions (Sierra 10.12.6 and earlier) are not vulnerable.   At the UofG, CCS Managed Desktops does not deploy High Sierra yet, so CCS supported Macs are not vulnerable. Individually purchased Macs may be.  

What can I do?

Happily, the fix is straightforward. 

  1. Give the “root” account a secure password (and keep that password secure!)

  2. Install the patch released today: https://support.apple.com/en-ca/HT208315

  3. Follow good practices for Mac Security:

  • Keep current with your systems patches, especially security

  • Install good Antivirus software - there are viruses for Macs! McAfee Endpoint Security is available on U of G Software Distribution (See https://www.uoguelph.ca/ccs/service/software)

  • Install only the applications you need.

  • Open only the minimal services or internet ports you require to get your work done.

Kudos to Apple for providing a patch so quickly, but really this issue should not have slipped past.
 
Written by: Hanna Guan and Gerrit Bos
 
* Technically FreeBSD, an open source version of Unix[1] Technically FreeBSD, an open source version of Unix