Apple’s High Sierra allows root with no password, there’s a workaround to help

Earlier this afternoon on Twitter, a developer posted a screenshot and reported it was possible to obtain root access on Apple’s High Sierra without a password.

[Note: Apple has released a fix for this issue, calling it a “logic error”. Please note, once the patch is applied, if you need the root user you will need to re-enable that account and change its password. All previous updates are below.]

Several users recreated this issue on their own systems, including a staffer here at IDG. However, as problematic as this issue is, the workaround is rather easy.

The issue was first reported by Lemi Orhan Ergin, a developer in Istanbul, Turkey. In his initial tweet, directed to Apple, he explained the issue fully, which allowed others to confirm the problem on their own systems.

After some testing, the problem was confirmed, even as a standard user, and that creating new administrators resulted in the ability to disable the firewall and file vault, enable sharing, remote logins, and more.

The issue discovered in High Sierra is a bad one, but there is a workaround that seems to solve the issue. Enable the root user account with a strong password.

Apple recommends that the root user be disabled after a password is set, which is solid advice in the long run, expecially if the account isn’t needed (hint: it isn’t).

At this point, it’s not clear if High Sierra is the only OS affected. Internal testing here at IDG couldn’t reproduce the issue on anything other than High Sierra.

Now for the really bad news.

High Sierra users need to address this issue urgently, as the root password bug is exploitable remotely, including VNC and Apple Remote Desktop. This was confirmed shortly after the public started looking at the bug by various researchers.

Another important note comes from researchers at Bugcrowd. Those testing (exploiting) the problem locally will open themselves up to remote attack. Especially via Screen Sharing.

“By testing this vulnerability on your own computer, you’ll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop,” explained Bugcrowd’s Keith Hoodlet, Trust and Security Engineer.

“By testing this vulnerability on your own system, you remove existing safeguards around the root (i.e. God-mode) user – enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.”

Apple says they’re working on a software update to address the issue, and is directing users to a support document explaining how to enable root and set a secure password. [Apple has released a fix, you can find that here if you missed the link above.]

We’ll keep updating this story as new information emerges.

Update:

Rob Fuller, also known as Mubix, has some sound advice for those who are enabling and setting a root password in order to deal with today’s problems. Randomize them, since you won’t actually need the account.

While the original command with echo will work for some, others may need the code below: cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 60 | xargs -I rootpw sudo dscl . -passwd /Users/root rootpw

Update 2:

There has been a bit of a debate after Tuesday’s disclosure. Those in the Responsible Disclosure camp disagree with how the issue was brought to Apple’s attention, namely in a public tweet. However, the root password bug was being suggested on Apple’s Developer Forums as a helpful tip earlier this month. [Archive Link]

Update 3 (The issue is bigger than a blank password):

Hours after the internet first learned about the High Sierra flaw that leaves the root account exposed (Apple has promised a fix), one security researcher has discovered the issue is far more serious than a blank password.

In fact, researchers who have been scanning the internet might have accidentally created a wider attack surface and left users exposed. The video below explains.

So, if anyone is scanning the internet and trying to make connections to exposed Apple boxes, stop.

“You are setting the root password to every machine you authenticate to, as a blank password or whatever you choose to put into the password field,” security researcher Tom Ervin explains.

Doing so may make things harder for Apple to address all of these compromised systems.

“How are they going to know the difference between a system somebody has intentionally set the password for, and a system that somebody has exploited this vulnerability on and set the password for that user?” Ervin asked.

Again, it is critical that a password for the root user be set. For the scenario shown in this video, a password for the root account seems to address the flaw and prevent remote exploitation. It’s also wise to disable Apple Remote Desktop.

Ervin is continuing to research other attack surfaces, and we’ll update as his work progresses.

Update 4 (Apple has released a fix, update your systems):

Apple has released Security Update 2017-001 to address what they call a “logic flaw” that allowed the abuse of the root user account locally and in some cases, remotely. All macOS users are encouraged to install the patch immediately.

After the patch is installed, if the root user is required (it shouldn’t be), the account will need to be re-enabled and have its password reset. Additional details are in Apple’s advisory.

[This story was updated to include links to Apple’s documentation, and to mention that they reccomend deactivating the root user account once a password is set.]