ALERT: Apply update to protect against Mac OS vulnerability
Wednesday, November 29, 2017
11/29/17, 3:23 p.m. update: Apple is forcing automatic installation of the security update if you are running Mac OS High Sierra 10.13.1. The update will download and install automatically; you will be notified via an Apple Notifcation Center alert when it has been installed. If you are running other versions of High Sierra 10.13, you need to check the App Store for updates.
This message was sent to the IT Security Community, Frontline Notify, and Macsig groups via email on November 29, 2017. It is intended for U-M IT staff who are responsible for university Mac computers. It is also applicable to anyone with a personally owned Mac.
Summary
A security flaw has been detected in Mac OS High Sierra 10.13 or higher that could allow someone with physical or remote access to the computer to log in, change administrative settings, and gain full access to the computer simply by entering the username root with no password. If Apple Remote Desktop, SSH, or other remote access has been enabled, an attacker could gain remote access. Apple has just released an update to address the vulnerability.
Affected Systems
- Macs running Mac OS High Sierra 10.13 or higher. Macs running earlier versions of Mac OS are not affected.
Action Items
For U-M units that manage their own Macs
- Do not upgrade to High Sierra 10.13 or above.
- For Macs that are running High Sierra 10.13 or above, apply the update from Apple as soon as possible after appropriate testing.
- If you cannot immediately apply the patch:
- Follow Apple's advice to set a strong root password for your managed Macs.
- If any type of remote access (for example, Apple Remote Desktop, SSH, and so on) has been enabled, disable it if possible.
For MiWorkspace-managed and Izzy-managed Macs
- The MiWorkspace team has already implemented Apple's recommendation for MiWorkspace Macs, as well as for those in units that subscribe to the a la carte Izzy Mac service, that are running High Sierra 10.13 or above via a silent update. MiWorkspace continues to recommend not updating to this OS.
For personally owned Macs
- Do not upgrade to High Sierra 10.13 or greater.
- If you have already upgraded to High Sierra 10.13 or greater, apply the update from Apple.
- If you have enabled any type of remote access (for example, Apple Remote Desktop, SSH, and so on), we recommend that you disable it if you aren't using it.
References
- Vulnerability Note VU#113765: Apple MacOS High Sierra root authentication bypass (CERT)
- There's a bug in Apple's most recent operating system (CNN, 11/28/17)
- Pro tip: You can log into macOS High Sierra as root with no password (The Register, 11/28/17)
- Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password (MacRumors, 11/28/17)
- Major Apple security flaw grants admin access on macOS High Sierra without password (The Verge, 11/28/17)
- MacOS High Sierra 'root' bug allows admin access without a password: Who is affected and how to fix it (Pocket-lint, 11/29/17)
- There's an embarrassing and dangerous security hole in the latest Mac software (Business Insider, 11/28/17)
- How to enable the root user on your Mac or change your root password (Apple)