A security flaw has been detected in Mac operating systems, High Sierra 10.13 or greater. This vulnerability allows anyone to login to a Mac device and change administrative settings by typing in the username “root” with no password more details can be found in the links provided.
Systems at Risk
- Currently, this vulnerability is only detected in users with a Mac operating system that has been upgraded to High Sierra 10.13 or greater.
o Systems running Apple Remote Desktop (ARD) can be logged into remotely with a root account, no password.
o Systems running Apple Screen Sharing can be logged into remotely with a root account, no password.
o Systems with local console access, such as shared usage computers in teaching or lab environments, can be logged into locally with a root account, no password.
o There are likely other services impacted on vulnerable systems
o Vulnerable systems running SSH as a service are not affected by this issue, due to other controls in macOS
Systems Not at Risk
- Mac operating systems that are prior to 10.13
- Machines running 10.13 should immediately be upgraded to 10.13.1 and have Apple Security Update 2017-001 installed. https://support.apple.com/en-ca/HT208315
- If a machine cannot be upgraded, then the root account must be enabled, and a complex password set on it. https://www.macrumors.com/how-to/temporarily-fix-macos-high-sierra-root-bug
- No action is required for machines running macOS 10.12.6 or earlier
- When/if they are upgraded to macOS High Sierra, they should automatically receive 10.13.1 and the security patch