If you’re using a Mac, and are running macOS High Sierra, drop everything that you’re doing and go and set/change the computer’s root password.
Why? What’s happening?
Turkish software developer Lemi Orhan Ergin dropped a bombshell yesterday – unauthorized users can gain root access to machines running High Sierra by simply logging in as “root” and not entering a password:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The trick can apparently be used both on a locked and unlocked Mac – IF the root password hasn’t already been set (it isn’t by default).
How does it work?
In the case of a locked machine, the attacker needs to chose “Other…” on the login screen, and enter “root” as user and an empty password and hit “Enter” a couple of times. (The trick may not work for some.)
On an unlocked machine, the attacker can access the option via System Preferences > Users & Groups, then click the lock in the lower left corner to make changes, then type in “root” in the username field, click on the password box but leave it blank, and press the Unlock button.
And, as it turns out, someone already noticed the bug two weeks ago:
Perhaps nobody noticed two weeks ago when the root login vulnerability in macOS High Sierra was shared as a helpful tip on Apple’s own Developer forums. https://t.co/P44gEId25d http://pic.twitter.com/sOiRt8j2X7
— Mike Myers (@fristle) November 29, 2017
Whether someone at Apple saw that particular post or not is unknown, but the company has reacted to Ergin’s Tweet by asking for more information. Later, a spokesperson confirmed the existence of the problem.
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac,” the spokesperson explained.
“To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Can the bug be exploited remotely?
It was thought initially that only an attacker with physical access to the target machine can exploit this bug.
But, as it turns out, the vulnerability can be exploited remotely if Screen Sharing is enabled.
Keith Hoodlet, Trust and Security Engineer at Bugcrowd, advises caution if you’re testing this vulnerability on your own computer:
“You’ll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop. You remove existing safeguards around the root user – enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.”
Rod Soto, Director of Research at JASK, says that the vulnerability is alarming because it makes it seamless for someone to log into a system as root.
“While there are other methods that can provide bad actors with access and password reset capabilities via physical access, these require some technical knowledge and time. The severity of this is how simple and quick anyone can execute the method and log in to reset and access user information even if their passwords are complicated,” he noted.
“With the granted controls, they can also install backdoors and disable any other protections on the device. However, it is expected that every corporate department that issues these types of devices would add passwords to root accounts as standard operating procedure.”
So far, the vulnerability seems to be present only macOS High Sierra 10.13.0, 10.13.1, and macOS High Sierra 10.13.2 beta.
from Help Net Security http://ift.tt/2iiuPmF
0 comments:
Post a Comment