An authentication flaw has been discovered in MacOS version 10.13 (High Sierra) and MacOS 10.13.2 beta. A threat actor with remote or physical access to the device can gain administrative privileges by logging in with the user account "root" through System Preferences. Remote attacks require Apple's Remote Desktop Protocol. No password is required and once completed the threat actor will have persistent access to the device.  

This is a trivial attack to perform and has a wide range of potential consequences namely, unauthorized access.

 

What should you do about it

  • It is important to never leave your device unattended, especially in public places.
  • Enabling the root account and setting the password appears to be the most effective mitigation at this time.

 

Additional information

There is not currently a patch for this vulnerability. For mitigation steps and a technical analysis please see the following links:

[1] https://support.apple.com/en-us/HT204012

[2] https://www.macrumors.com/how-to/temporarily-fix-macos-high-sierra-root-bug/

 

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.