Apple Mac’s latest operating system High Sierra 10.13.1 has a serious glitch with its login authentication mechanism. This flaw could eventually allow anyone having access to the system to gain entry into it without providing the root password.
The bug was first made public by a Turkish developer Lemi Ergin. He discovered that by entering the username “root” with a blank password and then repeatedly pressing the login button would eventually allow him to gain access to the entire system.
Bugs / Glitches are unbelievable, in the sense that who would imagine gaining access to the root user. In the world which is fret with Memory corruption issues, privilege escalations etc. which require quite an amount of effort to exploit, this bug is a nasty one as it allows anyone with an unpatched version of MacOS High Sierra to gain entry into the system.
Although Apple has been quick to respond and has provided a workaround and a patch, however considering the fact that in the past when critical vulnerabilities have been discovered and patches have been made available, the turnaround time for implementation has taken ages for organizations to implement.
Patch
Apple has provided a patch for this bug and is available for download through your Apple Mac Store. The Vulnerability CVE-2017-13872 has been patched by the Security Update 2017-001. Open the Mac App Store, Click updates in the App Store Toolbar and you should see the update available to download.
Work Around
Enable or disable the root user
- Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
- Click lock Icon, then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click Lock Icon in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility
- Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
- Or choose Edit > Disable Root User.
Log in as the root user
When the root user is enabled, you have the privileges of the root user only while logged in as the root user.
- Choose Apple menu > Log Out to log out of your current user account.
- At the login window, log in with the username ”root” and the password you created for the root user.If the login window is a list of users, click Other, then log in.
Remember to disable the root user after completing your task.
Change the root password
- Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
- Click Lock Icon, then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click Lock Icon in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility, choose Edit > Change Root Password…
- Enter a root password when prompted.
Read More – blog eScan