Apple "Remote Management" also has the same exposure. If "Control" is enabled, that gives full interactive remote root access to a system, without requiring a password.pic.twitter.com/q6hN0gwaNf
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Apple "Remote Management" also has the same exposure. If "Control" is enabled, that gives full interactive remote root access to a system, without requiring a password.pic.twitter.com/q6hN0gwaNf
I posted a few more details: https://www.kb.cert.org/vuls/id/113765 Perhaps notably: - The root account (with attacker-specified password) can be enabled via shell-only (e.g. SSH) access. - Simply *testing* for the vulnerability enables the root login, which puts a system at increased risk.
Also notably: - Do *NOT* disable the root account after setting a password for it. If you do this, you will revert the system back to the vulnerable state.
And perhaps most notably of all: - Apple has released an update: https://support.apple.com/en-us/HT208315
I've heard that disabling root isn't good enough. But I haven't tested this.
I just re-tested this and have confirmed: The remote root access attack surface ONLY exists if any user has entered the root:NULL password locally (e.g. via a logged-on user). If this has not happened, the root:NULL remote access will not be allowed. This is an important detail.
My understanding based on limited testing is that the local test (e.g. entering root:NULL for *any* action that requires admin privileges) seems to *create* the root:NULL account access. If I try remote access on a clean OS before the local test, the creds are not accepted.
a gift that just keeps on giving eh? perfection expected in design and UX, fail-whale in QA/QC on Sec & Safety of users...
I’ve been saying this for years, apples software quality has become the awful since jobs passing. It’s simply bad. Bad coding and bad experience
Big question indeed, clicking on 'other' in the logon field only becomes visible once the 'root' account has been enabled once (by using the Settings>Lock trick). So far SSH remote login with root without password is not working for me.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.