Apple MacOS High Sierra root authentication security flaw


              Apple MacOS High Sierra  (10.13) contains a flaw in how it authenticates the root account.  When a privileged action prompts the user for administrative credentials, the user can simply enter the user of "root" with and empty password.  The first attempt appears to fail, but in actuality, this action caused MacOS High Sierra to enable the ability to log in as root using the credentials specified.
          A second attempt to authenticate using the same credentials successfully takes the action with root administrative privileges.
               Once this vulnerability has been triggered by an authenticated user (either locally, or via remote access such as SSH), the root account will be available to use as a viable authentication mechanism to the system.

               A local or remote user of a MacOS High Sierra system can obtain root\administrative privileges without requiring credentials.  Any system that has the root account enabled (e.g. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in "Screen Sharing" or "Remote Management" capabilities.

               The CERT/CC is currently unaware of a practical solution to this problem.  Please consider changing the root password as a work around.
                   1. As a user with administrative privileges, launch a Terminal window
                   2. Type sudo passwd -u root
                   3. Enter a strong password