Apple has released an emergency fix for an embarrassing vulnerability that allowed people to access the highest privileges account on Mac computers without a password.
The vulnerability was disclosed by a user Tuesday on Twitter. He noticed that when prompted by the OS for a password for an administrative task he could just enter “root” in the user name field and clicking the unlock button two times to get in.
That’s a big security issue, because “root” is not only the highest privileged account on a UNIX-based operating system like macOS, but it’s supposed to be disabled by default in recent versions.
According to an analysis by Patrick Wardle, the director of research at penetration testing firm Synack, the reason why the first unlock attempt appears to fail is that, due to a bug, the OS’ opendirectory daemon actually re-enables the root account with the user-supplied blank password. The second unlock click then succeeds because the correct blank password has been used.
Apple released a security update Wednesday to address the credential validation issue and noted that the flaw only affects macOS High Sierra 10.13.1. The company said users who need the root account will have to re-enable it and set a password for it after applying the update.
One limiting factor for exploiting this vulnerability is that it needs to be triggered by an authenticated user of the system, either locally or remotely. However, once that’s done, the root user becomes available for authentication on the login screen and can be used to access the system even after a reboot.
“Any system that has the root account enabled (e.g. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in ‘Screen Sharing’ or ‘Remote Management’ capabilities,” the CERT Coordination Center at Carnegie Mellon University warned in an advisory.
This means that people who tested if the vulnerability worked on their Macs after reading about it on Twitter or news articles, have actually exposed themselves to increased risk. Users who can’t immediately install the update should strongly consider applying a workaround that involves setting a strong password for the root account through the “sudo passwd -u root” command in the Terminal.
While this incident looks very bad for Apple, as macOS is considered to be one of the most secure operating systems around, credentials validation flaws in general are not a rare occurrence. Just last week, security appliances maker Fortinet patched a vulnerability in FortiWeb Manager that granted administrative access to users regardless of the password they provided.
“Modern computing is built up with layers upon layers of different interacting software systems,” said Mike Buckbee, security engineer at Varonis, via email. “With so many interactions, this virtually guarantees that serious vulnerabilities are going to be present. While massive efforts to QA and harden systems take place, it’s inevitable that something, somewhere is going to be missed. For an enterprise to be secure it can’t focus solely on the systems and vulnerabilities, but needs to look at the behavior of accounts, traffic and data on individual computing devices and the network.”
Yet Another Amazon S3 Misconfiguration Exposes Top Secret NSA and U.S. Army Data
The incidents of misconfigured enterprise storage repositories hosted on Amazon’s S3 service keep piling on. The latest case concerns a virtual appliance and other files associated with a cloud intelligence platform operated by the U.S. Army Intelligence and Security Command (INSCOM), a signals intelligence organization jointly run by the U.S. Army and the NSA.
According to researchers from UpGuard, who found the misconfigured bucket on Amazon S3, the .ova file inside contained a Linux-based operating system used for receiving, transmitting, and handling classified data. The system had several partitions containing metadata, instructions and technical configurations, some of which were marked as Top Secret and NOFORN—information that should not be shared with foreign nationals.
The UpGuard researchers found details in the files that suggest the appliance was associated with Red Disk, a Defense Department cloud intelligence platform, and that it was created by a contractor called Invertix.
“Third-party vendor risk remains a silent killer for enterprise cyber resilience,” the UpGuard researchers said in a blog post. “The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled.”
Earlier this month, UpGuard also found three misconfigured Amazon S3 storage buckets containing more than 1.8 billion online posts scraped from public websites for the U.S. military as part of an open-source intelligence-gathering operation. Those data repositories had also been created by a third-party vendor.