This is a dumb cock up but relatively inert either way:
1. It's not active or open by default.
In this case, the problem is more serious. In Unix systems you lock an account by assigning it an invalid encrypted password. In this case, that invalid encrypted password made some poor exception handling to authorize access.
3. You have to have physical control of the machine to enable it.
Which still leaves you vulnerable in all those situations in which, for whatever reason, you leave a machine unattended. I don't carry my laptop to the loo when I am at the office.
4. SSH to root account is forbidden by default anyway so remote auth isn't possible even with a password and you have to turn SSH on.
It did not affect *only* root, but potentially any account locked by the traditional method of the invalid password. Read my simple description above
of a similar cock-up in a network server in 1991. I could authenticate successfully as "bin", "tcb", "daemon", etc.
An let us not forget pre-Windows XP SP1, where you could log in as Administrator with a blank password because there was a bug in MSGINA and LSASS.
Probably a problem belonging to the same class. This kind of problems can be caused by error or exception handling problems, or even race conditions .
There has been a comparable problem in the systemd service in Linux.
https://github.com/systemd/systemd/issues/6237In this case, a user name beginning with a number in a configuration file was interpreted as number. The file accepts both user names and numerical uids. This particular problem deals with how interpret a field that can be in any of two different formats.
How do you deal with that? You can try a number conversion first, with a fallback to a name look up. But some number conversions may happily return the "0" in the user "0day" assuming that the rest was garbage you can discard.
You can do it in the opposite order in order to be safe from lax number conversions. However, in case the "0day" user is deleted for whatever reason, its processes will be executed with uid=0, ie, root.
The discussion itself is interesting, because some claim that it shouldn't happen anyway, so they don't consider it a bug in the first place.