• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
      • SSL/TLS certificates
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • High Sierra vulnerability

Updated: Easily exploitable, critical vulnerability in macOS High Sierra

Wednesday, November 29, 2017

Update: Apple has released Security Update 2017-001, which addresses this vulnerability. The recommended action is to apply this patch immediately to all computers running macOS High Sierra in lieu of the workarounds listed below.

Background

On Nov. 28, 2017, a critical and easily exploitable privilege escalation vulnerability in macOS High Sierra was revealed via social media.

Impact

Computers running macOS High Sierra have a critical vulnerability that allows anyone with local or remote access to the device to gain root privileges. Further, once root privileges have been acquired subsequent access to the machine as root is possible even if the system is locked. Remote root access via VNC (Apple Remote Desktop) is also exploitable. Once root access is acquired, attackers can take complete control of a system including, but not limited to, bypassing FileVault drive encryption, creating new administrator accounts and executing arbitrary code.

Platforms affected

macOS High Sierra (versions 10.13.0, 10.13.1, and beta 10.13.2)

Local observations

  • IU security personnel have confirmed this vulnerability exists.
  • While UISO has not seen active exploitation of this vulnerability, given its public knowledge and the trivial skills required to exploit it, we expect this to be widely exploited imminently.
  • Macs managed via JAMF have access to a script that will implement an effective workaround.
  • As a precaution, IU has blocked the VNC port (TCP port 5900) at the border to prevent remote exploits of this vulnerability.

UISO recommendations

  • All machines running macOS High Sierra should immediately apply the workaround and leave the root account enabled. (Disabling the root account restores the vulnerability.)
  • IT Professionals who manage Macs via JAMF should apply the script GLOBAL_HighSierra_ROOT_Block.
  • Once Apple has released a patch, all machines running High Sierra should apply the patch as soon as possible.

Workarounds

The only known workaround is to enable the root account and then set a strong password on the account. Instructions for the workaround.

Further reading

  • How to Temporarily Fix the macOS High Sierra Bug
  • Highly detailed and technical explanation of the vulnerability

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Privacy Notice | Copyright © 2024 The Trustees of Indiana University