macOS High Sierra Security – Protect from Root Vulnerability

high sierramacosrootSecurity

On 28 November, a root vulnerability was discovered by a user in which the root account can be accessed by entering a blank password. This affects all users.

Tech Crunch as an animated gif showing how this works if you use an authentication dialog:

This flaw is also present on the lock screen, any guest or non-admin accounts as well. Additionally, if there is an 'other' option or you log in, through vnc/file sharing / screen sharing your root user could be enabled with no password to protect access.

How can I protect myself?

Best Answer

Edit November 29, 2017:

Apple released a security update today that fixes the issue. It's important to install this update using App Store > Updates. When updated, the build number of macOS will be 17B1002. Here is more information on the update: Security Update 2017-001

When you want to use the root account again, you will need to re-enable the root user and change the root user's password. (See below)

It's mandatory to enable the Root User and to set a strong (and perhaps random) password for the root user. This disables the security bypass. You are now as secure as the root password is unguessable.

Enabling the root user and changing the root password

Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
Click lock icon, then enter an administrator name and password.
Click Login Options.
Click Join (or Edit).
Click Open Directory Utility.
Click lock icon in the Directory Utility window, then enter an administrator name and password.
From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user.

Apple support article (https://support.apple.com/en-us/HT204012)

Apple's statement

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Apple's statement (9to5mac)

If you allow remote log in (ssh), you might also want to disable the log in shell for the root user if you want to prevent any chance of that password or user logging in to a shell.

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

Here's a guide for administrators if they want to secure a fleet of Mac from this. The second link is a handy script to do both actions quite well with error checking.

Related Solutions

MacOS – MacBook admin account password reset using Apple ID does not work

Strange... If you wait long enough at the EFI Login Window does the text at the bottom change to say something about restarting into Recovery to reset your password? If so, hold down the power button to shut down then hold it down again to startup in Recovery. Once the Password Reset Utility loads you can choose the My keyboard isn’t working when typing my password to log in option to disable FileVault. It will ask for a password, so not sure it'll work.

MacOS – How to include recent security patch (APFS plain password vulnerability) into already downloaded macOS High Sierra installer image

You can't merge an update into an older macOS installer app easily. So you have to re-download the full installer to get the most current version. Check that you don't get the restricted (20 MB) installer only app.

After downloading the first full installer (without installing it), move it to a folder and create a dmg choosing the folder (or alternatively zip the app).

Then install the upgrade or trash the macOS installer.app.

After Apple announces and publishes a new installer (not necessarily as a point release update), download it again. Repeat the steps above. If you don't need the old installer.dmg anymore, trash it. I usually keep them.

Under certain circumstances (often after moving the macOS installer.app to an arbitrary folder) downloading the new release will replace the old macOS installer in-place.

To check the build version grep the the file /Contents/Info.plist for DTSDKBuild:

grep DTSDKBuild -A1 .../Install\ macOS\ High\ Sierra.app/Contents/Info.plist

The golden master's build version was 17A362a.

The first installer's build version available to the public was 17A364.

The latest build version as of today is 17A400 (small installer) or 17A403 (large installer).