MacOS High Sierra Authentication Vulnerability

At Tozny, we care very deeply about security and helping our friends and customers stay secure. If you think you’ve found a security vulnerability in an application or operating system, please reach out to the project’s maintainers directly to alert them of the issue.
Earlier today, several Twitter users started talking about a potential vulnerability in Apple’s latest operating system. The bug allowed an otherwise authenticated user to unlock settings screens using the username of “root” with an empty password. In computing, this “root” user is often the default system administrator baked into the operating system; accessing that account without a password is indeed a critical issue. Unfortunately, the issue goes much deeper.
UPDATE: Apple has released an urgent security fix that corrects the logic error that triggered this bug in the first place. If you’re running MacOS High Sierra, be sure to install this critical update as soon as possible!

Unauthorized Root Access

The bug is more than just allowing access to the “root” user, it’s enabling this user account whereas it’s typically disabled by default! Attempting to authenticate as the “root” user enables access and sets the password as an empty string. Once this is done, a third party can log in to the machine as the root user, again using no password. Further, if a Mac allows guest access, it means anyone can log in as a guest user and enable this root user account. They can then log back out and reauthenticate as the root user, who has access to the entire system. Including private keys stored in another user’s home directory!
UPDATE: After deeper review, it seems this vulnerability is exposed both to users with physical access to the machine and to those attempting to authenticate remotely using screensharing or VNC tools!

Remediating the Problem

Considering the initial reports went out via social networks and other media publications, Apple is well aware of the bug and is sure to be racing towards a permanent fix. In the mean time, there are specific steps you can take to protect your machine immediately. First, disable the Guest User account on your machine. This is the first route of entry for an unauthorized user and is potentially the way they would attempt to escalate their own privileges within the system.
  1. Open up System Preferences
  2. Select Users & Groups
  3. Click the lock to make changes
  4. Select the Guest User and ensure that the option is disabled

Ensure the Guest User is completely disabled to prevent attempts at privilege escalation.

Second, if the root user is enabled, set a password immediately.
  1. Open up the Directory Utility
  2. Click the lock to make changes
  3. In the Apple navigation bar, select Edit, then Change Root Password

Apple’s Directory Utility allows you to explicitly set a root password.

If this option is grayed out, it means the root user is not enabled in the first place. So long as guest access is also disabled, then a third party cannot necessarily take control of your machine using this vulnerability. However, this might not be the only way in. It might be a good idea to enable the root user and set an explicit, strong password to prevent this attack from occurring.