--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Unauthenticated Root Access in macOS High Sierra' version: '1.1' number: '2017-026' date: 'November 30, 2017' --- _History:_ * _29/11/2017 --- v1.0: Initial publication_ * _30/11/2017 --- v1.1: Update resolving the issue is available_ # Summary On November 28th, a security researcher Lemi Orhan Ergin has notified Apple about a serious security issue in macOS Hight Sierra [1]. It appears that anyone can login as _root_ by providing an empty password. The bypass works by putting the word _root_ in the user name field of a login window, moving the cursor into the password field, and then hitting _Enter_ with the password field empty. With that -- after a few tries in some cases -- the latest version of Apple's operating system logs the user in with root privileges [2]. Interestingly enough, the functionality was already identified and presented as a solution to logging-in problems in a post of user _chethan177_ on Apple developer forums already on November 13th [3]. At the time, it appears that nobody felt the need to raise an alert about it. On November 29th, Apple has released a Security Update 2017-001, which corrects the issue. # Technical Details When full-disk encryption is turned off, an untrusted user can turn on a Mac that is fully powered down and log in as root. Even on Macs that have filevault turned on, the bypass can also be used to make unauthorized changes to the System Preferences (including disabling filevault), or the bypass can be used to log in as root after logging out of an existing account but not turning off the machine [2]. Of more concern is that malicious hackers can exploit this vulnerability to give their malware unfettered control over the computer and OS. In cases such as these, attackers use one exploit to run their malicious code and a second exploit to escalate the privileges of that code so it can perform actions that the OS normally would not allow [2]. It appears that the vulnerability is located in `com.apple.loginwindow`, a macOS component that is one of at least two ways users can log into accounts [2]. # Products Affected Apparently this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment [4]. # Recommendations Apple has released an update (Security Update 2017-001) to correct the issue, and it is available through the App Store _Update_ tab. The update may be installed manually, and later will also be pushed automatically to the impacted systems. A short description, along with a method to check if the update was applied on a given system is available in [5]. # References [1] [2] [3] [4] [5]