error? That's an understatement....
11/29/2017 11:07 PM
"A logic error existed in the validation of credentials" that allowed access to the root account without providing a password!http://www.kb.cert.org/vuls/id/113765
Apple MacOS High Sierra disabled account authentication bypass
Apple MacOS High Sierra fails to properly require authentication for disabled accounts, such as root account, which can allow an authenticated user to obtain root privileges.
A local or remote user of a MacOS High Sierra system can obtain root privileges without requiring credentials. Any system that has the root account enabled (e.g. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in "Screen Sharing" or "Remote Management" capabilities[.]
Security Update 2017-001
Released November 29, 2017
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator's password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
[This entry was originally posted as https://syntonic-comma.dreamwidth.org/940124.html on Dreamwidth (where there are
comments).]
"A logic error existed in the validation of credentials" that allowed access to the root account without providing a password!http://www.kb.cert.org/vuls/id/113765
Apple MacOS High Sierra disabled account authentication bypass
Apple MacOS High Sierra fails to properly require authentication for disabled accounts, such as root account, which can allow an authenticated user to obtain root privileges.
A local or remote user of a MacOS High Sierra system can obtain root privileges without requiring credentials. Any system that has the root account enabled (e.g. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in "Screen Sharing" or "Remote Management" capabilities[.]
Security Update 2017-001
Released November 29, 2017
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator's password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
[This entry was originally posted as https://syntonic-comma.dreamwidth.org/940124.html on Dreamwidth (where there are
comments).]