OS X Lion accepts any LDAP password, creates enterprise network nightmare
There's nothing more frightening to a network administrator than to have a potential security hole that can open a network to attacks from outside. Unfortunately, the latest incarnation of Mac OS X -- Lion -- reportedly has a major security issue related to Lightweight Directory Access Protocol (LDAP).
LDAP servers often contain sensitive enterprise data, so a successful attack on one of the servers is a bonanza to hackers. For some reason, Macs running Lion that use LDAP to authenticate users to shared resources work just fine for the initial login. After that point, Lion users can use any password and still log in.
Macs running older versions of OS X, Windows PCs, and Linux machines authenticate properly on the same LDAP servers, but the Lion machines exhibit the bad behavior. There are no security problems with Macs running Lion and logging into networks that use protocols other than LDAP.
This issue may create concern in the minds of network administrators who are being pressured to add more Macs to their networks. A researcher at iSec Partners, Alex Stamos, recently noted that large corporate customers should think twice before deploying large numbers of Macs in enterprises. Speaking at the Black Hat security conference earlier this month, Stamos mentioned that iSec Partners had figured out an easy way to steal hundreds of passwords from enterprise servers by connecting a Mac to the network.
Network admins who think that Macs may be an open gate to their data are not going to be amenable to connecting the devices to their enterprise networks.
Share
There's nothing more frightening to a network administrator than to have a potential security hole that can open a network to attacks...
Add a Comment
This is overhyped. The Lion client is storing the login information. It simply reuses the credentials on successive access to resources. The only way for a hacker to compromise security is to steal the Lion machine after the user authenticates... This is no different than someone standing behind you waiting for you to login and then swiping your computer.
Glad you all understand now.
To all of you people confused by the wording here it is simplified.
Typing any password in at the clinet after initial login and getting access does NOT mean that the password you typed in is what is being sent to the server. Rather the problem appears to be that regardless of typed in subsequent passwords, Lion is submitting your original and correct credentials for all subsequent logins regardless of the credentials you actually supply after the first login.
As a result this is a client issue not a server issue as the server is being given correct credentials regardless of what is typed in at the client.
This issue has been reported in public since several days and is a major f*ckup by Apple! You would expect that for such a huge security hole there would be a security fix within 24 hours - but it seems that iEnterprise doesn't (want to) sell that much... :/
August 30 2011 at 4:25 AM Report abuse Permalink rate up rate down ReplyAnybody seen a source for this *besides* that one forum thread at macrumors that everybody's linking to?
August 30 2011 at 3:02 AM Report abuse Permalink rate up rate down ReplyThis is a well-known issue and Apple has acknowledged it as such. It IS a Mac OS 10.7 Client problem in that Lion does not properly evaluate the passwords! It has nothing to do with the LDAP server, as this article correctly mentions.
Here's another "heise security" article: http://www.h-online.com/security/news/item/Mac-OS-X-Lion-fails-to-check-passwords-when-authenticating-via-LDAP-1328704.html
The original (in german): http://www.heise.de/security/meldung/Mac-OS-X-Lion-prueft-Passwoerter-bei-Authentifizierung-via-LDAP-nicht-1328609.html
Cheers
And this article is wrong. It is Lion's implementation of OpenLDAP which runs on the server version.
If the Lion client could log into an LDAP server and have full access to anything then LDAP would be dead in the water, any hacker could replicate this.
@Depicus: Well, the wording "Lion fails to check passwords" is indeed misleading, I agree. But as someone else has clarified in the meantime what goes really wrong on the *client* (!) side is that Lion always sends the proper password which was initially typed in. After that it does not check what the user has entered and *always* sends the same - and correct - password! Or in other words: it can connect to ANY LDAP server, no matter what was typed in after the first correct validation - epic fail!
"If the Lion client could log into an LDAP server and have full access to anything then LDAP would be dead in the water, any hacker could replicate this."
Now you DO start to realise how badly Apple did f*ckup with this, right? ;)
p.s. I did not see any way how I could reply to your post, there was no "Answer" button...
This is a bad bug. I can understand why there is confusion in the comments over whether the bug is 10.7 client or server. If we take the report (here and on The Reg) at face value, then the problem is with the way Lion persistently caches user credentials for LDAP servers.
However, I read this statement with surprise: ‘Speaking at the Black Hat security conference earlier this month, Stamos mentioned that iSec Partners had figured out an easy way to steal hundreds of passwords from enterprise servers by connecting a Mac to the network.’
Surely this is an indication of lack of security on the ‘enterprise servers’ rather than a problem inherent with OS X? Surely there shouldn’t be a way for any client (regardless of OS) to grab hundreds of passwords from an enterprise server?
Over the years using Leopard and Snow Leopard, i reported a similar problem to Apple (as i understand the problem to be). I was able to type in any word or even no word into the password authentication to access our company's client base and financial records. There was a password in place and yet I could simply bypass it using the iCal LDAP process. Seems like the bug is persistent.
The only email i have from the Apple Developer Connection team that i still have goes back to August of 2009 that indicated another LDAP issue with disconnecting... they fixed the one below with 10.7:
Problem
-Administrator password provided to access Active Directory at a work location
-Moved Computer to off-site location and have no access to work location Active Directory
-Tried to delete/disconnect work location Active directory connection from Directory Utility
-Prompted to give Administrator Password (IT staff)
-Do not have access to Administrator Password and thus ... no valid authentication
-Could not disconnect from Active Directory
Work around
-Clicked on Services
-Unchecked LDAPv3
-Connection to work location Active Directory disappeared
-Disconnected from Active Directory
cookingscience
quote:
Yuusharo
Considering that you have to successfully log in at least once on a Lion machine in order to produce the problem tells me that Lion is improperly caching credentials and reusing them in subsequent logins, whether or not they're correct. That would explain why this problem is localized only to Lion machines and not to a server vulnerability.
Lion is to blame, not the server.
----------------------------------------------------------------
Why would a cache containing my password allow me to get access to data that requires another person's credentials?
This is a rather confusing or confused article. As I understand it, LDAP and its variants (AD, Shibboleth, Keberos et. al.), are in sole control of access to that service. Either you present the correct credentials and get access or you do not and are barred from access. I'm further assuming that we are talking about Lion as a client and LDAP as any kind of non-Apple server. Unauthorized access is the server's fault, not the client's fault.
Or are we actually talking about LDAP running on a MacOS X 10.7 (Lion) server?
Please clarify.
Something is wrong with the description of the problem here. It's the LDAP server's responsibility to keep information secure, not the responsibility of the client OS. Even if the Lion client allows someone to log into the Mac, no enterprise data will be compromised unless a server allows it.
August 29 2011 at 5:45 PM Report abuse Permalink rate up rate down ReplyThis was breaking news MID LAST WEEK. Impressive reporting TUAW.
August 29 2011 at 4:55 PM Report abuse Permalink -1 rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Used Apple iPhone 3G 8GB for AT&T for $108 + $5 s&h
- Apple Mac Pro Xeon 6-Core 3.3GHz Desktop w/ 12GB RAM for $3,899 + $28 s&h
- Apple MacBook Pro Core i7 Quad 2.2GHz 15" SSD Laptop for $2,447 + $13 s&h
- Apple Earphones with Remote and Mic for $6 + $2 s&h
- PC Micro Store sale: Up to 50 off
- USB MP3 Player FM Transmitter with remote for $6 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
32 Comments