BigFix solution to major security issue in Apple High Sierra!

jgstew · November 28, 2017, 9:36pm

Update: Apple has released a fix: https://support.apple.com/en-us/HT208315 (need to update relevance to exclude this version)

Mentioned but noticed 2 weeks before: https://twitter.com/fristle/status/935670476214378496
Announced widely: https://twitter.com/lemiorhan/status/935578694541770752
See the issue: https://twitter.com/patrickwardle/status/935608904377077761
BigFix content within 2 hours: https://bigfix.me/fixlet/details/24857
Apple Patch within 24 hours:

@AlanM

It seems like anyone can use the root user without a password on High Sierra in the currently released version, which is a major problem!

This is a workaround that sets a random password for the root user:

The content says to test all over it, which you should, but it is based upon well tested scripts, so it should be all good.

An additional step is that you can set the root user’s shell to “false” to prevent logins:

https://github.com/jgstew/bigfix-content/blob/master/fixlet/Set%20Root%20User%20Shell%20to%20false%20to%20prevent%20login%20-%20Apple%20Mac%20OS%20X.bes

It seems like this was mentioned on apple’s own forum 2 weeks ago: https://twitter.com/fristle/status/935670476214378496

The manual fix: https://twitter.com/reneritchie/status/935627307565355014

Wow, @jgstew … trying to make sense of plists on macOS and getting nowhere. Stuff like this works:
(keys of it, sizes of arrays of values of it) of entries of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist"
but actually getting the data in that array is eluding me. Any pointers?

straffin · November 29, 2017, 2:49am

I think I’ve got it!

length of string 0 of array "passwd" of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist"

This yields results of either 1 or 8 based on my few tests. According to the stackexchange post, 1 = disabled root, 8 = enabled root. Right? So then, the relevance to detect a disabled root account would be:
length of string 0 of array "passwd" of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist" = 1

jgstew · November 29, 2017, 4:45am

Yep, you got it. You beat me to it. I was working on this, then left for dinner, and didn’t get back to it until now.

It is tough, I feel like I have to relearn it every time. Using number of is very useful.

This is how I would write it for applicability: (plural is best)

exists strings 0 whose(length of it = 1) of arrays "passwd" of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist"

In some ways, this might actually be better:

not exists strings 0 whose(length of it = 8) of arrays "passwd" of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist"

And for reporting:

lengths of strings 0 of arrays "passwd" of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist"

jgstew · November 29, 2017, 5:03am

I just updated the links in the original post at the top to point to the new versions with the new relevance. Thanks!

I don’t know if that tweet I linked was the first disclosure of this issue, but if so, I had a workaround posted within 2 hours.

jgstew · November 29, 2017, 5:38am

Just added content to change the root user’s shell, which I have not tested:

github.com

jgstew/bigfix-content/blob/master/fixlet/Set Root User Shell to false to prevent login - Apple Mac OS X.bes

<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
	<Fixlet>
		<Title>Set Root User Shell to false to prevent login - Apple Mac OS X</Title>
		<Description><![CDATA[&lt;enter a description of the problem and the corrective action here&gt; ]]></Description>
		<Relevance>mac of operating system</Relevance>
		<Relevance>not exists strings 0 whose(it = "/usr/bin/false") of arrays "shell" of dictionaries of files "/var/db/dslocal/nodes/Default/users/root.plist"</Relevance>
		<Category></Category>
		<Source>Internal</Source>
		<SourceID>jgstew</SourceID>
		<SourceReleaseDate>2017-11-28</SourceReleaseDate>
		<SourceSeverity></SourceSeverity>
		<CVENames></CVENames>
		<SANSID></SANSID>
		<MIMEField>
			<Name>x-fixlet-modification-time</Name>
			<Value>Wed, 29 Nov 2017 05:35:36 +0000</Value>
		</MIMEField>
		<Domain>BESC</Domain>
		<DefaultAction ID="Action1">

This file has been truncated. show original

CC: @sbl

WretchedKat · November 29, 2017, 3:31pm

So this will create a random password for the root account? Is there a way to make it a specific password or to find out what the created password is?

jgstew · November 29, 2017, 4:30pm

It is not hard to make it a specific password. I am intentionally making it a very random password and not storing it in any way so that it is NOT known on purpose.

Setting it to something that is known and the same on all of your computers is a potential security issue, but if that is what you want, just do the following:

wait sh -c "dscl . -passwd '/Users/root' MyP@ssw0rd!"

WretchedKat · November 29, 2017, 4:40pm

I’d prefer to just set the root user shell to false like you mentioned above. Doing that seems to have resolved the issue without making any password change to the root account.

I do have a question regarding changing the root user shell to false. Would this affect bigfix script usage on that machine in any way or does it just not allow a user to log in as root?

I was under the impression that bigfix ran all scripts as though it were root. Or does it just have root level access?

jgstew · November 29, 2017, 4:42pm

I don’t know for certain, but it should just prevent login as root, it should not prevent BigFix from running actions as root.

This will prevent interactive logins as root, but it will not prevent all possible uses of the root account. If you don’t set the password and activate the root account, then there will still be possible exploits. Setting the root shell to false is a more conservative approach, but not perfect.

crowsj · November 29, 2017, 4:47pm

Looks like Apple has released a security patch for it.

My understanding is this just disables the “root” user.

jgstew · November 29, 2017, 4:49pm

The fix from apple changes the broken validation that caused the issue in the first place. It probably also disables the root user in case it was turned on due to this issue.

WretchedKat · November 29, 2017, 5:23pm

So how would we change the root user shell back to true manually?

I assume we could just change ‘/usr/bin/false’ to ‘/usr/bin/true’ and run that, but if we wanted to make this change on a single machine without running a fixlet how would we go about it?

jgstew · November 29, 2017, 8:02pm

That is covered here: Blocking logins to the root account on macOS High Sierra | Der Flounder

You don’t need to change it back unless you have people logging into a mac as root, which you should not have that generally, so this might be a good thing to leave in place as an extra protection.

straffin · November 29, 2017, 8:02pm

@jgstew - Not that it likely matters anymore now that Apple’s released a patch, but it turns out that a computer that has had the flaw exploited also has a passwd of length 8, so the relevance is overly exclusive. I’m looking into what would identify an exploited root.

jgstew · November 29, 2017, 8:03pm

yes, that is true… I wasn’t handling that case.

objective c - How do I determine if a user has a password set on Mac? - Stack Overflow

straffin · November 29, 2017, 8:15pm

Sigh … looks like there’s no difference (that I can find anyway) between root user on a macOS 10.13 computer that has had the password explicitly set and that has had the vulnerability exploited. Guess we just have to deploy the patch.

BigFix solution to major security issue in Apple High Sierra!

Related: