Apple Mac High Sierra (10.13) Root Vulnerability (CVE-2017-13872) - Credential Validation Logic Bug (4297416)

A newly discovered Mac OS High Sierra (10.13) vulnerability (CVE-2017-13872) allows root authentication with no password. This article describes the information available about the bug and how to workaround and/or patch the vulnerability.

Vulnerability Details: https://support.apple.com/en-us/HT208315

Affects: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier 

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

Patch

A patch was released by Apple on November 29, 2017: https://support.apple.com/en-us/HT208315

Note: Version 8.1.107 is now available and High Sierra is supported. For versions prior to 8.1.x, please see below.

MacOS High Sierra (10.13) is not supported in SMA version 8.0 or earlier. Support is expected in version 8.1 in Spring 2018. Once 8.1 is available, this patch can be deployed via the SMA patching mechanism. Until then, as a workaround, KACE Support has developed and packaged two components - a Managed Installation and an accompanying Software title - that can be imported from one kpkg file into the SMA to deploy and inventory this patch. The SMA agent is not certified for MacOS 10.13, but we have not yet run into any issues with functionality of the agent on High Sierra aside from the lack of support in the patch feed.

To import the kpkg file, download the article attachment (Managed-Install-1.kpkg), upload it to the client_drop Samba share on the SMA, and then import it under Settings > Resources. Once imported, simply apply the Managed Install to applicable MacOS 10.13 systems (smart label, static label, static device list). The Software package is designed to detect the installation of the patch using a custom inventory rule, and when successfully installed will show in Inventory as "Security Update 2017-001", and the custom inventory field will pull in the project version number of opendirectoryd (as recommended in the Apple Bulletin). Reports can then be created to show systems with the patch missing and/or installed based on this custom Software title.

If any issues arise with this process, please contact KACE Support for further assistance.

More information about importing resources can be found here: https://support.quest.com/kb/116949

Workaround

The vulnerability can also be mitigated by applying a root password on vulnerable systems. For step-by-step instructions, see https://support.apple.com/en-us/HT204012