Vulnerability Details : CVE-2017-13872
Public exploit exists!
An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.
Vulnerability category: BypassGain privilege
Products affected by CVE-2017-13872
- cpe:2.3:o:apple:mac_os_x:10.13.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.13.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-13872
14.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-13872
-
Apple Remote Desktop Root Vulnerability
First seen: 2020-04-26auxiliary/scanner/vnc/ard_root_pwEnable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled. Authors: - jgor -
Mac OS X Root Privilege Escalation
Disclosure Date: 2017-11-29First seen: 2020-04-26exploit/osx/local/root_no_passwordThis module exploits a serious flaw in MacOSX High Sierra. Any user can login with user "root", leaving an empty password. Authors: - chethan177 - lemiorhan - timwr
CVSS scores for CVE-2017-13872
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2017-13872
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-13872
-
http://www.securityfocus.com/bid/101981
Apple macOS CVE-2017-13872 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/
Apple's MacOS High Sierra Update Reintroduces "Root" Bug For Some Users | WIREDPress/Media Coverage;Third Party Advisory
-
https://support.apple.com/HT208315
About the security content of Security Update 2017-001 - Apple SupportVendor Advisory
-
https://www.exploit-db.com/exploits/43201/
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
https://objective-see.com/blog/blog_0x24.html
Objective-SeeExploit;Technical Description;Third Party Advisory
-
https://support.apple.com/HT208331
About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan - Apple Support
-
https://github.com/rapid7/metasploit-framework/pull/9302
Implement ARD auth and add remote CVE-2017-13872 (iamroot) module by jgor · Pull Request #9302 · rapid7/metasploit-framework · GitHub
-
https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/
macOS bug lets you log in as admin with no password required | Ars TechnicaMitigation;Third Party Advisory
-
http://www.securitytracker.com/id/1039875
Apple macOS/OS X Root Account Password Flaw in Directory Utility Lets Local Users Obtain Root Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/43248/
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation
Jump to