⌘ MacBlog

Off Root

by Matthew Warren

Some quick notes on yesterday's root privilege escalation vulnerability.

Apple Released a Fix

Security Update 2017-001 was released around 8am PST on November 29, 2017. This update resolves the issue leading to the privilege escalation.

Installing the update recompiles and reinstalls opendirectoryd. The update does not require a reboot.

The update also disables root again. While waiting on this fix, the smart move was to enable root and configure a strong password on the account. After installing the fix, leave root disabled.

Apple states the problem existed in "Directory Utility." To split hairs, using the Directory Utility app was only the widely-reported method to trigger the vulnerability. Other methods existed.

Ensuring You're Patched

Apple helpfully provides the following method to confirm Security Update 2017-001 is installed:

what /usr/libexec/opendirectoryd

macOS High Sierra 10.13.0 should return opendirectoryd-483.1.5 macOS High Sierra 10.13.1 should return opendirectoryd-483.20.7

Here's a Python script to report on the project build version of opendirectoryd. It uses the format of @chilcote's excellent unearth project, and I've submitted a pull request to integrate the opendirectoryd reporting.

The Update Originally Broke File Sharing

After installing the update, some users reported issues with file sharing services. Apple acknowledged the issue and published Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1 with instructions on reconfiguring the Local KDC to fix file sharing authentication.

...So Apple Re-Released Security Update 2017-001

On Nov 29, 2017 at 11:42 PM, Apple re-released the update. The new product ID is "091-51303", and it includes a postinstall script to reconfigure the Local KDC and avoid the aforementioned file sharing problem. (Thanks to Eric Holtam for the tip!)

...And Re-Released the Update Again

Later, on Nov 30, 2017 at 1:48 AM, Apple again re-released the update. This update adds the fix for macOS 10.13.0, which was previously still affected. The product ID for this update is 091-51300.

Hopefully this is the update's final form.

10.13.0 Was Initially Still Vulnerable, Now Fixed

Security Update 2017-001 originally applied only to 10.13.1. Subsequent releases of the update now patch 10.13.0.

All released versions of macOS High Sierra should be eligible for the fix. Betas are not yet patched.

macOS Build Numbers

The initial release of Security Update 2017-001 moved the macOS build number for 10.13.1 to 17B1002. The re-releases move the build number to 17B1003.

This update does not affect the build numbers for 10.13.0; the latest build for 10.13.0 is still 17A405.

Apple initially published the relevant build numbers on the KB article for the update. After the third update-to-the-update, they've removed this information.

The Update Installs Automatically

Apple is pushing this update to eligible devices, so Security Update 2017-001 will automatically download and install when you are connected to the Internet. This is similar behavior to their update to patch an NTP vulnerability.

You may also receive a Notification Center notification prompting you to install the update.

Critical Security Update

Or, when installed automatically, a notification to let you know.

Security Update Installed

"Critical" Flag

In an unprecendented move, Security Update 2017-001 is flagged in the software update catalog as "critical." Additionally, the App Store description pleads "Install this update as soon as possible."

10.13.2 Betas - Not Yet Fixed

The latest 10.13.2 Beta 5 cannot install Security Update 2017-001. I expect Beta 6 will be released soon, resolving the vulnerability.

Root Cause

Patrick Wardle tracked down specifics of the likely cause.

Saving Face

@lemiorhan, whose tweet more-or-less kicked off this fiasco, published a sorta-kinda explanation of why he publicly tweeted the vulnerability.


2017-11-30 09:25AM: Updated to document third release of Security Update 2017-001 2017-11-30 12:30AM: Updated to document re-release of Security Update 2017-001

← Previously:
On Root
Afterward: →
Creating a Naming Scheme for Jamf Pro