Some quick notes on yesterday's root privilege escalation vulnerability.
Apple Released a Fix
Security Update 2017-001 was released around 8am PST on November 29, 2017. This update resolves the issue leading to the privilege escalation.
Installing the update recompiles and reinstalls
opendirectoryd. The update does not require a reboot.
The update also disables
root again. While waiting on this fix, the smart move was to enable
root and configure a strong password on the account. After installing the fix, leave
Apple states the problem existed in "Directory Utility." To split hairs, using the Directory Utility app was only the widely-reported method to trigger the vulnerability. Other methods existed.
Ensuring You're Patched
Apple helpfully provides the following method to confirm Security Update 2017-001 is installed:
macOS High Sierra 10.13.0 should return
macOS High Sierra 10.13.1 should return
Here's a Python script to report on the project build version of
opendirectoryd. It uses the format of @chilcote's excellent unearth project, and I've submitted a pull request to integrate the
The Update Originally Broke File Sharing
After installing the update, some users reported issues with file sharing services. Apple acknowledged the issue and published Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1 with instructions on reconfiguring the Local KDC to fix file sharing authentication.
...So Apple Re-Released Security Update 2017-001
On Nov 29, 2017 at 11:42 PM, Apple re-released the update. The new product ID is "091-51303", and it includes a
postinstall script to reconfigure the Local KDC and avoid the aforementioned file sharing problem. (Thanks to Eric Holtam for the tip!)
...And Re-Released the Update Again
Later, on Nov 30, 2017 at 1:48 AM, Apple again re-released the update. This update adds the fix for macOS 10.13.0, which was previously still affected. The product ID for this update is 091-51300.
Hopefully this is the update's final form.
10.13.0 Was Initially Still Vulnerable, Now Fixed
Security Update 2017-001 originally applied only to 10.13.1. Subsequent releases of the update now patch 10.13.0.
All released versions of macOS High Sierra should be eligible for the fix. Betas are not yet patched.
macOS Build Numbers
The initial release of Security Update 2017-001 moved the macOS build number for 10.13.1 to 17B1002. The re-releases move the build number to 17B1003.
This update does not affect the build numbers for 10.13.0; the latest build for 10.13.0 is still 17A405.
Apple initially published the relevant build numbers on the KB article for the update. After the third update-to-the-update, they've removed this information.
The Update Installs Automatically
Apple is pushing this update to eligible devices, so Security Update 2017-001 will automatically download and install when you are connected to the Internet. This is similar behavior to their update to patch an NTP vulnerability.
You may also receive a Notification Center notification prompting you to install the update.
Or, when installed automatically, a notification to let you know.
In an unprecendented move, Security Update 2017-001 is flagged in the software update catalog as "critical." Additionally, the App Store description pleads "Install this update as soon as possible."
10.13.2 Betas - Not Yet Fixed
The latest 10.13.2 Beta 5 cannot install Security Update 2017-001. I expect Beta 6 will be released soon, resolving the vulnerability.
Patrick Wardle tracked down specifics of the likely cause.
@lemiorhan, whose tweet more-or-less kicked off this fiasco, published a sorta-kinda explanation of why he publicly tweeted the vulnerability.
2017-11-30 09:25AM: Updated to document third release of Security Update 2017-001 2017-11-30 12:30AM: Updated to document re-release of Security Update 2017-001