Apple macOS High Sierra Vulnerability Allows Users to Create Root Accounts without Authentication

A vulnerability in Apple’s macOS High Sierra 10.13.1 and 10.13.2 allows for the creation of a root account that does not require a password for authentication on an affected system. When the system prompts the user to enter administrative credentials for a privileged action, the vulnerability allows the user to merely enter root as the username in the authentication dialogue box and does not require a password before creating the root account. This unprotected root account could then be accessed by a threat actor, either locally or remotely, and used to gain full control over the system. Remote access services such as Virtual Network Computing (VNC), Remote Desktop Protocol (RDP), and screen sharing could be used to exploit this vulnerability on affected macOS systems. Apple is currently working on a patch. The NJCCIC recommends users and administrators of affected macOS systems review the CERT Vulnerability Note and immediately mitigate this vulnerability by enabling the root account and establishing a complex password, preventing a threat actor from being able to create a root account with a custom password themselves. Apple provides instructions on enabling the root user and changing the root password here. Additionally, users should apply the necessary patch as soon as it becomes available.