MacOS vulnerability gives any user full admin rights without a password
We all want to believe that the technology platforms we use are invincible. But, the reality is, software flaws exist. And some of these flaws don’t even require sophisticated hacking to exploit – they’re just sitting ducks, waiting to be found. Unfortunately, that’s the current challenge for Apple.
Apple is usually in the news for their latest innovations and new products, but recently an easily exploitable vulnerability in Mac’s High Sierra Operating System (OS) has made headline news. The security flaw enables a root superuser account without a password, giving attackers full access to all parts of a Mac machine.
The Background: How the MacOS Security Flaw was Detected and How it Works
High Sierra’s “root” bug was first revealed by Turkish software developer Lemi Orhan Ergin, who says security staff at his company happened to stumble upon the issue while trying to restore account access for a user. The issue was then made public by Ergin, who demonstrated the flaw in a Tweet to Apple’s tech support account.
The flaw is made possible any time a user encounters a prompt in High Sierra asking for a username and password. This includes logging into a machine with multiple users, installing an application, or changing settings. Users are then able to simply type “root” as a username, leave the password field blank, click “unlock” twice, and immediately gain full administrator access.
In other words, the bug allows any rogue user that gets their hands on a Mac computer to gain the deepest level of access to a computer, known as root privileges. Malware designed to exploit the flaw could also fully install itself deep within the computer, with no password required.
Even worse, is that the flaw can be exploited even when it’s not possible to enter a username at the main MacOS login screen. Users can still take advantage of the flaw via the system preference settings. For example, an attacker could enter the root as the username in the Users and Groups preferences setting, leaving the password field blank, and clicking on the unlock button.
After that, it’s possible for an attacker to wreak havoc on a business network. They can add new accounts with full administrative rights and could also turn off MacOS security features such as FileVault disk encryption, install malware, not to mention the ability to steal, copy or delete data.
Dangerous Access: Why the MacOS Flaw is Especially Scary
News of the security vulnerability spread like wildfire across Twitter and other social media platforms, with many security researchers confirming that they were able to replicate the flaw exploit. Security researchers Patrick Wardle and Amit Serper posted that they had been able to gain unauthorised access by exploiting the root flaw. WIRED also independently confirmed the bug.
What’s terrifying is the fact that the attack could be used on a logged-out account. This raises the possibility that someone with physical access could exploit it just as easily as malware, meaning the threat is both internal and external. Users could, for instance, use the attack to gain root access to a logged-out machine, set a root password, and then regain access to a machine at any time. This means if someone did this to any company machine sitting on a desk, they could come back later and do whatever they wanted.
Wardle explained the external threat as well. He noted the flaw can also be exploited remotely if the target MacOS system has resource sharing services enabled.
“Attempting to log in creates the root account with a blank password,” said Wardle, a security researcher with Synack. “If the root account is disabled, logging in remotely re-enables it.”
This creates a huge threat to MacOS systems and leaves devices vulnerable to potential threats within and outside business organizations.
How to Patch the Flaw: Setting a Root Password to Prevent Unauthorised Access
Unfortunately, despite suggestions that the flaw can be mitigated by disabling the computer’s guest account, this doesn’t work. It simply restarts the computer with Safari as the only application running.
It is possible to mitigate against the flaw, however, by adding a password for the root user. Here are the directions for adding a root password:
- Access the Users and Groups preferences pane.
- Select the Login Options
- Select the Join Network Account Server
- In the dialog box that pops up, click on Open Directory Utility.
- From the tool’s menu bar, select
- Here, you’ll be able to assign and change the password for root privileges.
IMPORTANT NOTE: Simply disabling the root account in the Open Directory utility tool does not work, as the root account becomes re-enabled when entered into the username field upon login
However, the safest fix is to install Apple’s newly released update. About 18 hours after the vulnerability was made public, Apple released a patch for the ‘root privileges’ flaw. If you haven’t yet applied the latest update, you should do so asap. Apple blamed the flaw on a logic error in the validation of account credentials. They improved credential validation strategy with the patch and accepted responsibility for leaving users vulnerable to threat.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of MacOS,” the company said in a statement. “We greatly regret this error and we apologize to all Mac users, both for releasing the OS with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
Frightening Patterns: MacOS Security Flaws Becoming More Common
“We always see malware trying to escalate privileges and get root access,” says Wardle. “This flaw is the best, easiest way ever to get root, and Apple has handed it to them on a silver platter.”
And unfortunately, the root access bug isn’t an isolated event. The flaw is only the latest in a disturbing series, that has plagued the High Sierra OS. On the day the operating system launched, Wardle determined malicious code running through the software that left data up for grabs. Another reported bug apparently showed the user’s password as a password hint when trying to unlock an encrypted partition on their machine known as an APFS container.
Wardle argues that flaws could be identified and stopped quicker if Apple launched a “bug bounty” for information about security vulnerabilities in its desktop software. Bug bounties are becoming an increasingly popular way for tech companies to proactively mitigate threats and identify system vulnerabilities. Apple already has a bug bounty for iOS, but still nothing for MacOS.
“A bug bounty program is a no-brainer. Maybe this is something that will encourage them to go down that path,” claims Wardle “It’s crazy these kinds of bugs keep blowing up. I don’t know if I should laugh or cry.”
Despite the efficiently released patch from Apple, this latest security flaw should leave Mac users on high alert. Staying in tune with the latest Mac product line is great, but it’s even more important to stay in tune with Mac security updates and potential software flaws. You can only protect your business data if you know the latest threats to combat.
If you have questions about the MacOS security flaw or need a hand making sure you have it patched, reach out to our team of technology experts. Trying to mediate a wide variety of cyber threats can be time-consuming and stressful – sometimes checking in a team of professionals makes all the difference.