updated 09:45 am EDT, Mon August 29, 2011
Hole allows any password to be used
OS X Lion has a serious security vulnerability related to LDAP, reports say. If a machine is using LDAP to authenticate access to other resources, a person can use any password for logins as long as they get past Lion's initial login process. The issue is said to be sensitive in an enterprise environment. "As pen testers, one of the first things we do is attack the LDAP server," explains Errata Security CEO Rob Graham. "Once we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it."
The hole has reportedly existed since before OS X 10.7.1 was released, raising the question of why it hasn't already been patched. It could theoretically be fixed in v10.7.2, which is already well into development. The update's exact release date is unknown.
In the meantime, some security experts and enterprise IT staff are advising against using Lion Macs, at least in large numbers. The problem is said to be restricted to Macs upgraded to Lion, though, and protocols that compete with LDAP appear to be safe.