By Dan Moren
November 28, 2017 1:08 PM PT
Developer goes public with macOS root vulnerability
Note: This story has not been updated for several years.
Developer Lemi Orhan Ergin uncovered a vulnerability in macOS High Sierra allowing access to the
root superuser account without a password:
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Unsurprisingly, that news has quickly rippled through the Apple community as many people—including yours truly—have verified the claim. You can test it for yourself by going to any locked System Preferences pane, trying to unlock it, and entering username
root with no password. (The number of tries varied for me—sometimes it worked on the first attempt, but pretty much always by the second.)
Obviously, this isn’t great, and the manner of disclosure didn’t help much either. Usually it’s advisable to disclose these vulnerabilities privately to the vendor, so that it can patch any holes before malicious parties attempt to use them for their own gains. But that ship has sailed.
What can you do in the meantime? The easiest solution appears to be changing the password for
root. To do so, in the Finder, use Spotlight to open the Directory Utility app1 and go to Edit > Change Root Password. (If that option is currently grayed out, you may first need to choose Edit > Enable Root User.) Enter a new password when verified, preferably a strong one generated with Keychain Assistant, 1Password, or a similar tool.2 At that point, you should be all set.
While this flaw is bad—you never want to give unfettered access to a user with
root‘s power—the vulnerability doesn’t seem to be remotely exploitable, unless the attacker already has login credentials. (Logging in as
root with no password via the login window or via SSH didn’t seem to work in my tests.) However, if somebody already has remote access to your machine, or has physical access, then this could be a worry.
Update: TidBITS proprietor and friend Adam Engst says he was able to log in as root with no password, even via screensharing, which makes this a much scarier flaw. I haven’t been able to duplicate his efforts, but it makes it that much more imperative that you change your root password.
Apple no doubt is working double time to get to the…root…of this flaw.3 In the meantime, however, you should change the root password on your Macs and make sure to secure physical access if you haven’t already. And above all, don’t panic.
Here’s the official word from Apple, supplied to us a little while ago:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Updated at 5:45pm Eastern to provide an easier way to open the Directory Utility.
If you can’t find it via Spotlight, use the Finder’s Go > Go to Folder option and open
- Some early suggestions say that you should then disable the root user again, but in the tests of myself and others, that appears to bring the flaw back, so don’t do it. ↩
- Sorry, not sorry. ↩
[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @email@example.com or reach him by email at firstname.lastname@example.org. His latest novel, the supernatural detective story All Souls Lost, is now available for pre-order.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.