Apple has released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.
The flaw was first mentioned on Apple developer forums on November 13 by a user who had been trying to help others solve a macOS issue related to all their admin accounts being turned into regular accounts after updating to High Sierra. However, Apple apparently only learned of it on Tuesday after a Turkish web developer sent a tweet to Apple Support and the press started covering the issue.
Within 24 hours of the tweet, Apple announced that High Sierra has been updated to version 10.13.1 to address the vulnerability, which the company tracks as CVE-2017-13872.
Apple has described the flaw as a logic error in the validation of credentials. “An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the company said in its advisory.
According to the tech giant, the vulnerability does not affect macOS Sierra 10.12.6 and earlier versions of the operating system.
CVE-2017-13872 can be easily exploited. Access “System Preferences” from the Apple menu and click on any of the categories that require administrator privileges in order to make changes (e.g. Security & Privacy, Users & Groups, Parental Controls). Then click on the lock icon in the bottom left corner of the window and enter the username “root” with any password when prompted. The Enter key or the Unlock button must be hit twice.
Initial reports suggested that the exploit worked by entering the username “root” with a blank password. However, researcher Tom Ervin clarified that the attack works with any password. The password entered becomes the password for the root account, and if the field is left blank there will be no password on the root account.
It’s worth noting that the attack is possible only if the root account has not been enabled and a password has not been set for it – Apple has deactivated the root account by default.
Experts pointed out that the attack can be executed remotely if sharing services are enabled. Ervin has published a video showing how to conduct a remote attack: