Apple Fixes MacOS High Sierra Root Access Vulnerability

Apple has released an emergency fix for an embarrassing vulnerability that allowed people to access the highest privileges account on Mac computers without a password.

The vulnerability was disclosed by a user Tuesday on Twitter. He noticed that when prompted by the OS for a password for an administrative task he could just enter “root” in the user name field and clicking the unlock button two times to get in.

That’s a big security issue, because “root” is not only the highest privileged account on a UNIX-based operating system like macOS, but it’s supposed to be disabled by default in recent versions.

According to an analysis by Patrick Wardle, the director of research at penetration testing firm Synack, the reason why the first unlock attempt appears to fail is that, due to a bug, the OS’ opendirectory daemon actually re-enables the root account with the user-supplied blank password. The second unlock click then succeeds because the correct blank password has been used.

Apple released a security update Wednesday to address the credential validation issue and noted that the flaw only affects macOS High Sierra 10.13.1. The company said users who need the root account will have to re-enable it and set a password for it after applying the update.

One limiting factor for exploiting this vulnerability is that it needs to be triggered by an authenticated user of the system, either locally or remotely. However, once that’s done, the root user becomes available for authentication on the login screen and can be used to access the system even after a reboot.

“Any system that has the root account enabled (e.g. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in ‘Screen Sharing’ or ‘Remote Management’ capabilities,” the CERT Coordination Center at Carnegie Mellon University warned in an advisory.

This means that people who tested if the vulnerability worked on their Macs after reading about it on Twitter or news articles, have actually exposed themselves to increased risk. Users who can’t immediately install the update should strongly consider applying a workaround that involves setting a strong password for the root account through the “sudo passwd -u root” command in the Terminal.

While this incident looks very bad for Apple, as macOS is considered to be one of the most secure operating systems around, credentials validation flaws in general are not a rare occurrence. Just last week, security appliances maker Fortinet patched a vulnerability in FortiWeb Manager that granted administrative access to users regardless of the password they provided.

“Modern computing is built up with layers upon layers of different interacting software systems,” said Mike Buckbee, security engineer at Varonis, via email. “With so many interactions, this virtually guarantees that serious vulnerabilities are going to be present. While massive efforts to QA and harden systems take place, it’s inevitable that something, somewhere is going to be missed. For an enterprise to be secure it can’t focus solely on the systems and vulnerabilities, but needs to look at the behavior of accounts, traffic and data on individual computing devices and the network.”

Yet Another Amazon S3 Misconfiguration Exposes Top Secret NSA and U.S. Army Data

The incidents of misconfigured enterprise storage repositories hosted on Amazon’s S3 service keep piling on. The latest case concerns a virtual appliance and other files associated with a cloud intelligence platform operated by the U.S. Army Intelligence and Security Command (INSCOM), a signals intelligence organization jointly run by the U.S. Army and the NSA.

According to researchers from UpGuard, who found the misconfigured bucket on Amazon S3, the .ova file inside contained a Linux-based operating system used for receiving, transmitting, and handling classified data. The system had several partitions containing metadata, instructions and technical configurations, some of which were marked as Top Secret and NOFORN—information that should not be shared with foreign nationals.

The UpGuard researchers found details in the files that suggest the appliance was associated with Red Disk, a Defense Department cloud intelligence platform, and that it was created by a contractor called Invertix.

“Third-party vendor risk remains a silent killer for enterprise cyber resilience,” the UpGuard researchers said in a blog post. “The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled.”

Earlier this month, UpGuard also found three misconfigured Amazon S3 storage buckets containing more than 1.8 billion online posts scraped from public websites for the U.S. military as part of an open-source intelligence-gathering operation. Those data repositories had also been created by a third-party vendor.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin