Massive Root Everywhere Access
The recent Apple macOS High Sierra vulnerability is leaving companies scrambling to address a gaping security hole providing multiple attack offerings to gain root access. Just hours ago Developer Lemi Orhan Ergan alerted the wider world to the flaw via Twitter:
It seems Apple might had been aware as the vulnerabilities was not available in 10.13.2 Beta 2, but was never announced. This bug is especially bad, because it allows for:
- Logging in from the initial console login
- Gaining access to user accounts and turning off FileVault encryption
- People that use ARD Apple Remote Desktop, gaining (currently unverified claims) root access over Remote Desktop sessions via open inbound RDP port
Addigy customers quickly brought this to our attention, and subsantianted the exploit by multiple verifications in our community (shout out to Chris Dennis, Eric Parker, Benjamin Morales, and Jesse Johnson). Our own in-house Andrew Carson rockstar created a predefined command and made it publicly available to all our customers within one hour of this exploit being reported. Big thanks as always to Rich Trouton and his uber awesome scripts: https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/block_root_account_login/block_root_account_login.sh
Apple recently posted knowledge base article to help individual users protect themselves: https://support.apple.com/en-us/HT204012
Addigy Recommends These 2 Immediate Resolutions:
✓ Block users from upgrading to High Sierra, with our one click Policy enforcement. Once enabled, users will prompted if they attempt to install High Sierra and admins will also receive a ticket/email that the user attempted upgrading
✓ If you have any 10.13.X machines in your portfolio, run Addigy's Predefined Command to set root with a large random password via Block Root User:
Huge thanks to our partners for helping us verify the issue, our Adidgy team for delivering a fix that was publicly available to all customers in under an hour, and our Addigy for further assistance.
If you'd like to see these crazy exploit/bugs in action... check it out:
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp— Amit Serper (@0xAmit) November 28, 2017
🤣🍎👾💀☠️ pic.twitter.com/4TBh5NetIS— patrick wardle (@patrickwardle) November 28, 2017
Updates and Resolution
Since the publication of this post and many others detailing the specifics of the vulnerability, Apple has issued an emergency Security Update 2017-001 :https://support.apple.com/en-us/HT208315.
This means that all of our Addigy Partners have immediate access to this update from within our tool and may begin protecting their machines to prevent this vulnerability from compromising their security infrastructure.
To update your machines simply Head to our System Updates section, select the update, and select "Add Update."
Head to the Deploy changes section within your policy and select "Deploy Now." Your machines will be automatically updated:
If you haven't yet seen how Addigy empowers I.T. to fully manage and protect Apple Macs across your entire organization then contact us today.
Keep I.T. Real,
The Addigy Team.