A major bug in Apple’s macOS gives anyone with physical access to a computer running the latest version of the High Sierra operating system admin access simply by putting “root” in the user name field.
The bug was publicized Tuesday by developer Lemi Orhan Ergin, founder of Software Craftsmanship Turkey, via Twitter. His tweet he simply stated:
“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as ‘root’ with empty password after clicking on login button several times. Are you aware of it @Apple?,”
Security researchers have since confirmed the macOS 10.13 bug, the most recent version of the OS. According to researchers, the bug works both the lock screen and System Preferences.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Users exploiting the bug authenticate as a “System Administrator” giving them full access to view any files on the system and change or reset passwords for other users of the same macOS system.
In a statement Apple said:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
“In High Sierra this bug now allows anyone become a system administrator who types ‘root’ in the authentication prompt and then hits enter. Behind the scenes that enabled the root account and then sets a blank password. The second time you click ‘OK’ that correctly authenticates the account and you have root access,” said Patrick Wardle, director of research with Synack.
Wardle told Threatpost the implications of this bug are far reaching and go beyond simply gaining access to the local computer. For starters, he said attackers could use the flaw in conjunction with malware to elevate privileges locally to make changes to a system and add applications such as a keylogger. For systems on a corporate network, if a macOS computer has screen sharing enabled a remote attacker who is on the same network could under certain circumstances also use this bug in attack remotely.
Wardle points out that this isn’t the first serious bug Apple’s macOS High Sierra has had to contend with. In October, Apple rushed out an emergency patch that fixed another major bug (CVE-2017-7149) in its High Sierra operating system that revealed APFS volume passwords via the password hint feature.
“We are seeing some pretty serious missteps here where Apple has shipped an operating system with some pretty bad security issues,” Wardle said. “Any operating system is going to have its share of flaws, but these kinds of bugs look like Apple didn’t even test them. These are not very difficult bugs to trigger.”
“Apple, like any company, is never going to be able to test everything. That’s why a bug bounty programs are a great way to improve your security posture. Apple has one for iOS, but not for macOS. It escapes me why they don’t have one for macOS. Clearly there are bugs here that need to be addressed,” Wardle said.