Firstly we’d like to point out that Security experts warn the public not to try and test the issue locally or remotely, as there is a risk of increasing the attack surface.
It all started on Twitter, a software developer claimed it was possible to obtain root access on Apple’s High Sierra without a password. A pretty strong claim if your understand exactly what Root access to a system affords you.
Lemi Orhan Ergin in his initial tweet, directed his findings directly to Apple.
The issue Lemi discovered in High Sierra is a serious one, Root access to a system allows you to play God and gives every permission possible to make changes. At this point, it’s not clear if High Sierra is the only OS affected. That said our tests in house have failed to reproduce the error on any other version of Apple’s recent OS releases.
High Sierra users need to address this issue urgently, as the root password bug is exploitable remotely, including in Applications such as VNC and Apple Remote Desktop.
However for those wanting to test their own systems proceed with caution, testing locally will open systems up to remote attack. Especially via Screen Sharing.
“By testing this vulnerability on your own computer, you’ll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop,” explained Bugcrowd’s Keith Hoodlet, Trust and Security Engineer.
“By testing this vulnerability on your own system, you remove existing safeguards around the root (i.e. God-mode) user – enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.”
Apple have today released an Update to address this rather serious Security hole in it’s software, and we would suggest you install at your earliest convenience.
Apple has released Security Update 2017-001 to address what they call a “logic flaw” that allowed the abuse of the root user account locally and in some cases, remotely. All macOS users are encouraged to install the patch immediately.
After the patch is installed, if the root user is required (it shouldn’t be), the account will need to be re-enabled and have its password reset.