Nine41 Consulting | Use Ivanti’s Autofix to Remediate macOS High Sierra’s Root Vulnerability
apple, device management, dep, vpp, systems management, landesk, ivanti, lanrev, absolute, heat, mdm,
16944
post-template-default,single,single-post,postid-16944,single-format-standard,qode-quick-links-1.0,ajax_fade,page_not_loaded,,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-11.0,qode-theme-bridge,wpb-js-composer js-comp-ver-5.1.1,vc_responsive
 

Use Ivanti’s Autofix to Remediate macOS High Sierra’s Root Vulnerability

Use Ivanti’s Autofix to Remediate macOS High Sierra’s Root Vulnerability

The Mac world went abuzz today (see here, and here, and here, and here, and here, and here as examples) when everyone discovered that a person with physical access to a Mac, running Apple’s macOS High Sierra, can enable and log into the root account without providing a password.

That means that any Mac with the Guest account enabled is completely exposed.

A Mac with the Guest account disabled, is at less risk, but locked down users on these machines will still be able to access the root account and grant their own account or create a new account with admin access.

As explained by AppleInsider, “beyond those who have direct access to a vulnerable Mac, the security hole also works remotely in certain scenarios where screen sharing, remote access or VNC sessions are enabled.”

Until Apple releases a fix to address this vulnerability, there are two steps you can take to address these security hole right now. The first is to set a password for the root account. The second is to disable console access for the root account.

Rich Trouton has written a script to perform both of these remediation actions in a single swoop. If you’d like to just use his payload-free package, check out his blog link. For those who use Ivanti Endpoint Manager, I’ve incorporated Rich’s script into an Ivanti custom definition so that you can use the agent’s Autofix feature to repair the vulnerability on all of your machines during the next security scan.

All you need to do is import the Ivanti custom definition I’ve built from Rich’s script into your Patch and Compliance module, make sure your agent’s Distribution and Patch Settings are scanning for custom definitions, and then set the definition to Autofix. See the detailed steps below for exact steps.

Note: Please use at your own risk and test thoroughly before deploying. This script sets a random password for the root account and subsequently disables console access for it. Nine41 Consulting is in no way responsible for the outcome.

  1. Download Disable-Root-Account.ldms from my GitHub site.
  2. Copy the file to a location the Core Server or Remote Console can access.
  3. Open your Ivanti Management Console.
  4. Go to Tools > Configuration > Agent Settings.
  5. Click on Distribution and Patch Settings.
  6. Find your appropriate agent setting for your Mac clients and double-click on it.
  7. Go to the Scan Options in the menu tree and make sure Custom Definitions is checked and Enable Autofix.
  8. Now go to Tools > Security and Compliance > Patch and Compliance.
  9. Change the definition type to Custom Vulnerability from the drop-down button.
  10. Right-click on Scan from the menu tree and select Import.
  11. Import the Disable-Root-Account.ldms custom definition.
  12. Right click on the imported definition and select Autofix (assuming your agent configuration also support Autofix) for specifics scopes or to enable it globally.
  13. Wait for your clients to run their scheduled vulnerability scan or manually kick off the vulnerability scanner from the Console.
No Comments

Post A Comment

ARE YOU READY TO GET STARTED?
Please fill out your information, and a specialist will reach out to discuss our services in more details.
Your Information will never be shared with any third party.
        
Free Training Videos
Register to gain access to all of our free content.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Additional Questions?
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Pay by PO?
Provide us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Pay by PO
Send us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Additional Questions?
Send us your contact information and your questions and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
YOUR QUESTIONS
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Free Training Videos
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL