28 Nov Use Ivanti’s Autofix to Remediate macOS High Sierra’s Root Vulnerability
The Mac world went abuzz today (see here, and here, and here, and here, and here, and here as examples) when everyone discovered that a person with physical access to a Mac, running Apple’s macOS High Sierra, can enable and log into the root account without providing a password.
That means that any Mac with the Guest account enabled is completely exposed.
A Mac with the Guest account disabled, is at less risk, but locked down users on these machines will still be able to access the root account and grant their own account or create a new account with admin access.
As explained by AppleInsider, “beyond those who have direct access to a vulnerable Mac, the security hole also works remotely in certain scenarios where screen sharing, remote access or VNC sessions are enabled.”
Until Apple releases a fix to address this vulnerability, there are two steps you can take to address these security hole right now. The first is to set a password for the root account. The second is to disable console access for the root account.
Rich Trouton has written a script to perform both of these remediation actions in a single swoop. If you’d like to just use his payload-free package, check out his blog link. For those who use Ivanti Endpoint Manager, I’ve incorporated Rich’s script into an Ivanti custom definition so that you can use the agent’s Autofix feature to repair the vulnerability on all of your machines during the next security scan.
All you need to do is import the Ivanti custom definition I’ve built from Rich’s script into your Patch and Compliance module, make sure your agent’s Distribution and Patch Settings are scanning for custom definitions, and then set the definition to Autofix. See the detailed steps below for exact steps.
Note: Please use at your own risk and test thoroughly before deploying. This script sets a random password for the root account and subsequently disables console access for it. Nine41 Consulting is in no way responsible for the outcome.
- Download Disable-Root-Account.ldms from my GitHub site.
- Copy the file to a location the Core Server or Remote Console can access.
- Open your Ivanti Management Console.
- Go to Tools > Configuration > Agent Settings.
- Click on Distribution and Patch Settings.
- Find your appropriate agent setting for your Mac clients and double-click on it.
- Go to the Scan Options in the menu tree and make sure Custom Definitions is checked and Enable Autofix.
- Now go to Tools > Security and Compliance > Patch and Compliance.
- Change the definition type to Custom Vulnerability from the drop-down button.
- Right-click on Scan from the menu tree and select Import.
- Import the Disable-Root-Account.ldms custom definition.
- Right click on the imported definition and select Autofix (assuming your agent configuration also support Autofix) for specifics scopes or to enable it globally.
- Wait for your clients to run their scheduled vulnerability scan or manually kick off the vulnerability scanner from the Console.