{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2017-026.pdf"
    },
    "title": "UPDATE Unauthenticated Root Access in macOS High Sierra",
    "serial_number": "2017-026",
    "publish_date": "29-11-2017 11:05:00",
    "description": "On November 28th, a security researcher Lemi Orhan Ergin has notified Apple about a serious security issue in macOS Hight Sierra. It appears that anyone can login as root by providing an empty password. The bypass works by putting the word root in the user name field of a login window, moving the cursor into the password field, and then hitting Enter with the password field empty. With that - after a few tries in some cases - the latest version of Apple's operating system logs the user in with root privileges.",
    "url_title": "2017-026",
    "content_markdown": "---\ntitle: 'Unauthenticated Root Access in\u00a0macOS\u00a0High\u00a0Sierra'\nversion: '1.1'\nnumber: '2017-026'\ndate: 'November 30, 2017'\n---\n\n_History:_\n\n* _29/11/2017 --- v1.0: Initial publication_\n* _30/11/2017 --- v1.1: Update resolving the issue is available_\n\n# Summary\n\nOn November 28th, a security researcher Lemi Orhan Ergin has notified Apple about a serious security issue in macOS Hight Sierra [1]. It appears that anyone can login as _root_ by providing an empty password. The bypass works by putting the word _root_ in the user name field of a login window, moving the cursor into the password field, and then hitting _Enter_ with the password field empty. With that -- after a few tries in some cases -- the latest version of Apple's operating system logs the user in with root privileges [2].\n\nInterestingly enough, the functionality was already identified and presented as a solution to logging-in problems in a post of user _chethan177_ on Apple developer forums already on November 13th [3]. At the time, it appears that nobody felt the need to raise an alert about it.\n\nOn November 29th, Apple has released a Security Update 2017-001, which corrects the issue.\n\n# Technical Details\n\nWhen full-disk encryption is turned off, an untrusted user can turn on a Mac that is fully powered down and log in as root. Even on Macs that have filevault turned on, the bypass can also be used to make unauthorized changes to the System Preferences (including disabling filevault), or the bypass can be used to log in as root after logging out of an existing account but not turning off the machine [2].\n\nOf more concern is that malicious hackers can exploit this vulnerability to give their malware unfettered control over the computer and OS. In cases such as these, attackers use one exploit to run their malicious code and a second exploit to escalate the privileges of that code so it can perform actions that the OS normally would not allow [2].\n\nIt appears that the vulnerability is located in `com.apple.loginwindow`, a macOS component that is one of at least two ways users can log into accounts [2].\n\n# Products Affected\n\nApparently this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment [4].\n\n# Recommendations\n\nApple has released an update (Security Update 2017-001) to correct the issue, and it is available through the App Store _Update_ tab. The update may be installed manually, and later will also be pushed automatically to the impacted systems. A short description, along with a method to check if the update was applied on a given system is available in [5].\n\n# References\n\n[1] <https://twitter.com/lemiorhan/status/935578694541770752>\n\n[2] <https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/>\n\n[3] <https://forums.developer.apple.com/thread/79235#277225>\n\n[4] <https://forums.macrumors.com/threads/major-macos-high-sierra-bug-allows-full-admin-access-without-password-how-to-fix-updated.2091696/>\n\n[5] <https://support.apple.com/en-us/HT208315>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/11/2017 --- v1.0: Initial publication</em></li><li><em>30/11/2017 --- v1.1: Update resolving the issue is available</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 28th, a security researcher Lemi Orhan Ergin has notified Apple about a serious security issue in macOS Hight Sierra [1]. It appears that anyone can login as <em>root</em> by providing an empty password. The bypass works by putting the word <em>root</em> in the user name field of a login window, moving the cursor into the password field, and then hitting <em>Enter</em> with the password field empty. With that -- after a few tries in some cases -- the latest version of Apple's operating system logs the user in with root privileges [2].</p><p>Interestingly enough, the functionality was already identified and presented as a solution to logging-in problems in a post of user <em>chethan177</em> on Apple developer forums already on November 13th [3]. At the time, it appears that nobody felt the need to raise an alert about it.</p><p>On November 29th, Apple has released a Security Update 2017-001, which corrects the issue.</p><h2 id=\"technical-details\">Technical Details</h2><p>When full-disk encryption is turned off, an untrusted user can turn on a Mac that is fully powered down and log in as root. Even on Macs that have filevault turned on, the bypass can also be used to make unauthorized changes to the System Preferences (including disabling filevault), or the bypass can be used to log in as root after logging out of an existing account but not turning off the machine [2].</p><p>Of more concern is that malicious hackers can exploit this vulnerability to give their malware unfettered control over the computer and OS. In cases such as these, attackers use one exploit to run their malicious code and a second exploit to escalate the privileges of that code so it can perform actions that the OS normally would not allow [2].</p><p>It appears that the vulnerability is located in <code>com.apple.loginwindow</code>, a macOS component that is one of at least two ways users can log into accounts [2].</p><h2 id=\"products-affected\">Products Affected</h2><p>Apparently this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment [4].</p><h2 id=\"recommendations\">Recommendations</h2><p>Apple has released an update (Security Update 2017-001) to correct the issue, and it is available through the App Store <em>Update</em> tab. The update may be installed manually, and later will also be pushed automatically to the impacted systems. A short description, along with a method to check if the update was applied on a given system is available in [5].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/lemiorhan/status/935578694541770752\">https://twitter.com/lemiorhan/status/935578694541770752</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/\">https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums.developer.apple.com/thread/79235#277225\">https://forums.developer.apple.com/thread/79235#277225</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums.macrumors.com/threads/major-macos-high-sierra-bug-allows-full-admin-access-without-password-how-to-fix-updated.2091696/\">https://forums.macrumors.com/threads/major-macos-high-sierra-bug-allows-full-admin-access-without-password-how-to-fix-updated.2091696/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.apple.com/en-us/HT208315\">https://support.apple.com/en-us/HT208315</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}