Update: Apple has released Security Update 2017-001, which addresses this vulnerability. The recommended action is to apply this patch immediately to all computers running macOS High Sierra in lieu of the workarounds listed below.
On Nov. 28, 2017, a critical and easily exploitable privilege escalation vulnerability in macOS High Sierra was revealed via social media.
Computers running macOS High Sierra have a critical vulnerability that allows anyone with local or remote access to the device to gain root privileges. Further, once root privileges have been acquired subsequent access to the machine as root is possible even if the system is locked. Remote root access via VNC (Apple Remote Desktop) is also exploitable. Once root access is acquired, attackers can take complete control of a system including, but not limited to, bypassing FileVault drive encryption, creating new administrator accounts and executing arbitrary code.
macOS High Sierra (versions 10.13.0, 10.13.1, and beta 10.13.2)
- IU security personnel have confirmed this vulnerability exists.
- While UISO has not seen active exploitation of this vulnerability, given its public knowledge and the trivial skills required to exploit it, we expect this to be widely exploited imminently.
- Macs managed via JAMF have access to a script that will implement an effective workaround.
- As a precaution, IU has blocked the VNC port (TCP port 5900) at the border to prevent remote exploits of this vulnerability.
- All machines running macOS High Sierra should immediately apply the workaround and leave the root account enabled. (Disabling the root account restores the vulnerability.)
- IT Professionals who manage Macs via JAMF should apply the script GLOBAL_HighSierra_ROOT_Block.
- Once Apple has released a patch, all machines running High Sierra should apply the patch as soon as possible.
The only known workaround is to enable the root account and then set a strong password on the account. Instructions for the workaround.