A critical security vulnerability was recently disclosed by Apple about macOS High Sierra. The vulnerability allowed a user to authenticate using the “root” username with a null password, even on systems where the root user was disabled. This vulnerability could allow unauthorized access to machines locally, and potentially via remote logins (via SSH and/or Screen Sharing).
Alert: Customer action may be required
All AirWatch Administrators managing macOS High Sierra devices are encouraged to take the following actions:
- Configure a “Software Update” payload for a macOS device profile: Set “Install macOS Updates” to “Install Updates Automatically” and configure the update interval to 30 minutes so that your fleet picks up the update as soon as possible. Security Update 2017-001 does not require a restart.
Note: The 2017-001 Security Update does not require a restart, but it does require 10.13.1 be installed. If your device is running 10.13 (vulnerable), you will need to update to 10.13.1 (restart required) in order to apply Security Update 2017-001.
- Configure a Custom Attribute to Audit the Installer Action: Use the following command line to return the date/time the update was installed – grep ‘Installed “Security Update 2017-001”’ /private/var/log/install.log
- Configure a Custom Attribute to Audit macOS Build Version: Use the following command line to return the build version of macOS: /usr/bin/sw_vers -buildVersion.
The patched build number is 17B1002.
For additional information, please refer to Apple's Knowledge Base article here on how to enable the root user on your Mac or change your root password.