apianti Posted November 29, 2017 Share Posted November 29, 2017 Apparently there appears to be a vulnerability where you can authenticate with root user and no password. https://www.reddit.com/r/apple/comments/7g6y06/anyone_can_login_as_root_with_empty_password_on/ https://twitter.com/lemiorhan/status/935578694541770752 https://news.ycombinator.com/item?id=15800676 4 Link to comment Share on other sites More sharing options...
Maniac10 Posted November 29, 2017 Share Posted November 29, 2017 Apple always brings the best user experience, this time it's a vulnerability even a 5 year old can exploit. For now as countermeasure just change the root user's password with: passwd root Link to comment Share on other sites More sharing options...
David-B Posted November 29, 2017 Share Posted November 29, 2017 Has anyone here tried it? I know they say you shouldn't, but it seems harmless as long as you set a root password. Link to comment Share on other sites More sharing options...
smolderas Posted November 29, 2017 Share Posted November 29, 2017 MacOS came always with root account without password. It was always deactivated though, and one would always activate it explicitly. Link to comment Share on other sites More sharing options...
wern apfel Posted November 29, 2017 Share Posted November 29, 2017 Fixed, with a new update 10.13.1 (17B1002). No restart required. Link to comment Share on other sites More sharing options...
Qwels Posted November 29, 2017 Share Posted November 29, 2017 came the patch Link to comment Share on other sites More sharing options...
apianti Posted November 29, 2017 Author Share Posted November 29, 2017 That was really fast, like a day. That's a good security team right there. 3 Link to comment Share on other sites More sharing options...
Badruzeus Posted November 30, 2017 Share Posted November 30, 2017 But there's another new issue after secUpd.. Link to comment Share on other sites More sharing options...
smolderas Posted November 30, 2017 Share Posted November 30, 2017 But there's another new issue after secUpd.. Just reinitialize the KDC and you are good to go. 1 Link to comment Share on other sites More sharing options...
Recommended Posts