Secure Apple Macs From Recent High Sierra Root Vulnerability

Published on 29 Nov 2017 by Addigy

Massive Root Everywhere Access

The recent Apple macOS High Sierra vulnerability is leaving companies scrambling to address a gaping security hole providing multiple attack offerings to gain root access.  Just hours ago Developer Lemi Orhan Ergan alerted the wider world to the flaw via Twitter:

Lemi Orhan Ergan Tweet Root Exploit

It seems Apple might had been aware as the vulnerabilities was not available in 10.13.2 Beta 2, but was never announced.  This bug is especially bad, because it allows for:

  1. Logging in from the initial console login
  2. Gaining access to user accounts and turning off FileVault encryption
  3. People that use ARD Apple Remote Desktop, gaining (currently unverified claims) root access over Remote Desktop sessions via open inbound RDP port

Addigy customers quickly brought this to our attention, and subsantianted the exploit by multiple verifications in our community (shout out to Chris Dennis, Eric Parker, Benjamin Morales, and Jesse Johnson).  Our own in-house Andrew Carson rockstar created a predefined command and made it publicly available to all our customers within one hour of this exploit being reported.  Big thanks as always to Rich Trouton and his uber awesome scripts: https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/block_root_account_login/block_root_account_login.sh

Addigy Root Exploit Fix

Apple recently posted knowledge base article to help individual users protect themselves: https://support.apple.com/en-us/HT204012

Addigy Recommends These 2 Immediate Resolutions:

βœ“ Block users from upgrading to High Sierra, with our one click Policy enforcement.  Once enabled, users will prompted if they attempt to install High Sierra and admins will also receive a ticket/email that the user attempted upgrading

Block Install High Sierra

βœ“ If you have any 10.13.X machines in your portfolio, run Addigy's Predefined Command to set root with a large random password via Block Root User:

Block Root User Fix

Huge thanks to our partners for helping us verify the issue, our Adidgy team for delivering a fix that was publicly available to all customers in under an hour, and our Addigy for further assistance. 

If you'd like to see these crazy exploit/bugs in action... check it out:

 

Updates and Resolution

Since the publication of this post and many others detailing the specifics of the vulnerability, Apple has issued an emergency Security Update 2017-001 :https://support.apple.com/en-us/HT208315. 

This means that all of our Addigy Partners have immediate access to this update from within our tool and may begin protecting their machines to prevent this vulnerability from compromising their security infrastructure. 

Updating machines

To update your machines simply Head to our System Updates section, select the update, and select "Add Update."

 

 

Head to the Deploy changes section within your policy and select "Deploy Now." Your machines will be automatically updated:

 

If you haven't yet seen how Addigy empowers I.T. to help fully manage and protect Apple Macs across your entire organization then contact us today.

Keep I.T. Real, 

The Addigy Team (λ)