9.3 - VU#113765

Executive Summary

Summary
Title	Apple MacOS High Sierra disabled account authentication bypass

Informations
Name	VU#113765	First vendor Publication	2017-11-29
Vendor	VU-CERT	Last vendor Modification	2017-11-29
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#113765

Apple MacOS High Sierra disabled account authentication bypass

Original Release date: 29 Nov 2017 | Last revised: 29 Nov 2017

Overview

Apple MacOS High Sierra fails to properly require authentication for disabled accounts, such as root account, which can allow an authenticated user to obtain root privileges.

Description

Apple MacOS High Sierra (10.13) contains a flaw in how it authenticates disabled accounts. When a privileged action prompts the user for administrative credentials, the user can simply enter the user of "root" with an empty password. The first attempt appears to fail, but in actuality, this action causes MacOS High Sierra to enable the ability to log in as root using the credentials specified. A second attempt to authenticate using the same credentials successfully takes the action with root administrative privileges. Once this vulnerability has been triggered by an authenticated user (either locally, or via remote access such as SSH), the root account will be available to use as a viable authentication mechanism to the system.

It is important to note that simply confirming the vulnerability on a system will have the side effect of enabling the root account for use in authenticating to the system.

Impact

A local or remote user of a MacOS High Sierra system can obtain root privileges without requiring credentials. Any system that has the root account enabled (e.g. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in "Screen Sharing" or "Remote Management" capabilities

Solution

Apply an update

This issue is addressed in Security Update 2017-001. Please also consider the following workaround if you are unable to install the update:

Set the root password

As a user with administrative privileges, launch Terminal
Type sudo passwd -u root
Enter a strong password

For an alternative GUI method to setting the root password, please see Apple support article HT204012.

Note: It is important to not disable the root account after setting a password. If the root account is disabled after setting a password, this action will revert the system back to the vulnerable state.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Apple	Affected	29 Nov 2017	29 Nov 2017

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.2	AV:L/AC:L/Au:N/C:C/I:C/A:C
Temporal	6.2	E:POC/RL:W/RC:C
Environmental	4.6	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://forums.developer.apple.com/thread/79235#277225
https://support.apple.com/en-us/HT204012
https://objective-see.com/blog/blog_0x24.html

Credit

This vulnerability was publicly disclosed by chethan177.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2017-13872
Date Public:13 Nov 2017
Date First Published:29 Nov 2017
Date Last Updated:29 Nov 2017
Document Revision:41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/113765

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-287	Improper Authentication

CPE : Common Platform Enumeration

Type	Description	Count
Os	Apple Mac Os X cpe:2.3:o:apple:mac_os_x:10.13.1:::::::* cpe:2.3:o:apple:mac_os_x:10.13.0:::::::*	2

Nessus® Vulnerability Scanner

Date	Description
2017-12-07	Name : The remote host is missing a macOS update that fixes multiple security vulner... File : macos_10_13_2.nasl - Type : ACT_GATHER_INFO
2017-12-04	Name : The remote host is affected by an authentication bypass vulnerability. File : macos_10_13_auth_bypass_remote_check.nasl - Type : ACT_DESTRUCTIVE_ATTACK
2017-11-29	Name : The remote host is running a version of macOS that is affected by a root auth... File : macos_10_13_root_auth_bypass_direct_check.nasl - Type : ACT_DESTRUCTIVE_ATTACK
2017-11-28	Name : The remote host is running a version of MacOS that is affected by a root auth... File : macosx_high_sierra_empty_root_password.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-12-14 21:23:41	Multiple Updates
2017-11-30 05:19:57	Multiple Updates
2017-11-29 21:21:25	Multiple Updates
2017-11-29 17:20:54	First insertion

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	2
Nessus® Exploit(s)	4

	Related
8.1	CVE-2017-13872
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)