toggle

AAPL Stock: 104.83 ( + 1.84 )

Printed from http://www.macnn.com

Lion exposes Macs to major LDAP vulnerability

updated 09:45 am EDT, Mon August 29, 2011

Hole allows any password to be used

OS X Lion has a serious security vulnerability related to LDAP, reports say. If a machine is using LDAP to authenticate access to other resources, a person can use any password for logins as long as they get past Lion's initial login process. The issue is said to be sensitive in an enterprise environment. "As pen testers, one of the first things we do is attack the LDAP server," explains Errata Security CEO Rob Graham. "Once we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it."

The hole has reportedly existed since before OS X 10.7.1 was released, raising the question of why it hasn't already been patched. It could theoretically be fixed in v10.7.2, which is already well into development. The update's exact release date is unknown.

In the meantime, some security experts and enterprise IT staff are advising against using Lion Macs, at least in large numbers. The problem is said to be restricted to Macs upgraded to Lion, though, and protocols that compete with LDAP appear to be safe.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. SCslugger

    Joined: Dec 1969

    +3

    "...as long as...

    ...they get past Lion's initial login process." This is like saying BMW's are really prone to theft, as long as the car thief has your key.

  1. prl99

    Joined: Dec 1969

    0

    more explanation needed

    I read this somewhere else and it continues to not make sense. Let me see if this is what they are saying.

    1. Mac #1, user login= person1, password= 123456 (just an example). person1 logs into Mac #1
    2. person1 accesses server using LDAP service, is able to log in using password=abcdefg, even though password in LDAP is 123456.

    Is that what they are saying? Does this only work if Mac#1 is bound to that LDAP server? Does it work even if person1 is a local account?

    Of course, attacking an LDAP server to get all passwords renders that server useless. How does 10.7 have anything to do with an LDAP server being hosted on another system? Are they talking about the built-in LDAP service of Lion client?

  1. humblec

    Joined: Dec 1969

    +4

    security

    from the links- lion does not authenticate any logins after the first initial login from LDAP. So if a computer is successfully logged in once- the next person can put in anything to login as it is not authenticated.

  1. prl99

    Joined: Dec 1969

    +2

    single sign-on

    A computer isn't authenticated, a user is but this sounds like single sign-on, something in heavy use on AD-bound systems. What's different is it sounds like a second user, using their own logon and password to access the Mac, can then use any password to connect to the same server. This doesn't make sense and I'd like to see the actual configuration they're using and a step-by-step documentation of the process. I read other comments that this only happens on an OpenLDAP server running on linux or solaris so at this point I have no way of knowing exactly what the combination is to try and test it.

  1. testudo

    Joined: Dec 1969

    -8

    Re: Single sign-on

    What's different is it sounds like a second user, using their own logon and password to access the Mac, can then use any password to connect to the same server. This doesn't make sense

    Of course it doesn't make sense. Hence the term "security vulnerability".

    and I'd like to see the actual configuration they're using and a step-by-step documentation of the process. I read other comments that this only happens on an OpenLDAP server running on linux or solaris so at this point I have no way of knowing exactly what the combination is to try and test it.

    Yeah, so you can then say "How dare they release the details of this exploit! That's just patently unfair to apple and shows their anti-apple bias as they try to spread FUD that the Mac is unsecure!

  1. testudo

    Joined: Dec 1969

    0

    Re: ...as long as...

    "...as long as they get past Lion's initial login process." This is like saying BMW's are really prone to theft, as long as the car thief has your key.

    No, it's nothing like that. It's like saying "Hey, if Bob goes to his car, unlocks it, gets something from it. Locks it again, and leaves, you can then go up to it and unlock it with ANY KEY, as long as you say 'I am Bob'".

    That's the difference. The Mac is checking that the user name is correct, but the password isn't being authenticated.

    And, more importantly, you have to look at this from a nefarious employee issue. It's not just Bob logs out and then Fred comes up to the computer and can login as bob. What if Bob logs in, then logs out, then logs in as "payroll". He can then access the entire payroll system. Or logs in as "hr". Now he can get everyone's personal information.

    Oh, I know, this isn't a security issue as much as a "well, if you give someone access to the machine, all bets are off" issue. Those don't count in terms of security threats. Because it is your fault that anyone who might have access to a computer isn't 100% honest and above-board.

  1. testudo

    Joined: Dec 1969

    +2

    oops

    Reading some more comments, it appears that you can log in with any name, not just the name of a valid user. What access you get? Not sure. But it still doesn't sound like a non-issue.

  1. Grendelmon

    Joined: Dec 1969

    0

    Fanbois:

    http://blogs.pcworld.com/tipsandtweaks/archives/feature.jpg

  1. leamanc

    Joined: Dec 1969

    0

    Can't reproduce this

    I have a 10.7.1 server, and several 10.7 and 10.7.1 clients to try this out with. I created a user called "Joe Bob Briggs", shortname jbriggs, password briggs, home folder on the server, and several services enabled (email, iCal, wiki, etc.). I tried this first when the server was still at 10.7, and the clients were a mix of 10.7 and 10.7.1.

    In all cases, including after upgrading the server to 10.7.1, and leaving the clients a mix of 10.7 and 10.7.1, I cannot log in with the jbriggs user without the right password. I first log in with my normal account, then log out to get to the login screen. Typing to log in a jbriggs only works with the password briggs. I tried some random passwords, like abcde, abc123, admin, etc.

    The only thing out of the ordinary I noticed was that it took longer than normal for the login boxes to "shake", indicating a wrong password. Usually the shake should start within 1 second of a wrong password entered, but sometimes it would go 20 to 25 seconds before shaking...like it was trying to let me in with the wrong password. Using the right password (briggs) logged me in instantly.

    I haven't checked the OpenDirectory logs or anything to see what's happening on the server end, but the brass tacks here is that I can't reproduce this issue. Am I missing something?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bring ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

toggle

Most Commented