A security issue in Apple's macOS High Sierra could allow an attacker to bypass any authentication dialog and even...
sign in as a root user.
The macOS flaw gained visibility after Lemi Orhan Ergin, agile software craftsman at payment platform vendor Iyzico, based in Istanbul, Turkey, tweeted about it Tuesday. Ergin asked Apple on Twitter if it was aware of an authentication bypass issue in its desktop operating system that could allow anyone with physical access to a target system to "login as 'root' with empty password after clicking on login button several times."
However, it wasn't the first time the issue was brought up. Ergin said in a Medium post that the infrastructure team at his company brought the macOS flaw to his attention on Nov. 23rd and there have been Apple Developer Forums posts about the issue as far back as Nov. 13th.
Tim Erlin, vice president of product management and strategy at Tripwire, criticized Ergin for his tweet.
"Failing to follow responsible disclosure guidelines puts everyone at greater risk," Erlin told SearchSecurity. "Public disclosure like this, especially with a major vulnerability, ensures the widest possible distribution of the information among malicious attackers, and instills a sense of urgency to attack before a patch is available."
Xavier Mertens, security consultant for SANS Internet Storm Center, said in an alert a "quick fix" would be to create a password for the root user.
Apple has released a patch for the macOS flaw Wednesday and said the issue was due to "a logic error [that] existed in the validation of credentials. This was addressed with improved credential validation."
Potential other vectors
Will Dormann, senior vulnerability analyst at CERT, found the macOS flaw could be remotely exploitable if Apple's Remote Desktop system is enabled, and "that gives full interactive remote root access to a system, without requiring a password."
Apple "Remote Management" also has the same exposure. If "Control" is enabled, that gives full interactive remote root access to a system, without requiring a password. pic.twitter.com/q6hN0gwaNf— Will Dormann (@wdormann) November 28, 2017
Additionally, Thomas Reed, a recognized Mac evangelist at Malwarebytes Labs, found this latest macOS flaw "works with any authentication dialog in High Sierra."
"On a Unix system, such as macOS, there is one user to rule them all. The root user is given the power to change anything on the system. There are some exceptions to that on recent versions of macOS, but even so, the root user is the single most powerful user with more control over the system than any other," Reed wrote in a blog post. "Being able to authenticate as the root user without a password is serious, but unfortunately, the problem gets worse. After this has (sic) bug has been triggered, it turns out you can do anything as root on the first try, without a password."
Reed added that while this macOS flaw could allow someone to log in to a system locally or remotely, if Remote Desktop is turned on, and be able to "do whatever they want, including accessing your files, installing spyware, you name it," there is a way to protect data.
"If you have your Mac's hard drive encrypted with FileVault, this will prevent the attacker from having a persistent backdoor," Reed wrote. "In order to log in, the attacker would have to know the password that will unlock FileVault. Not even the all-powerful root user can access an encrypted FileVault drive without the password."