back to article Mac Lion blindly accepts any LDAP password

Apple's latest version of Mac OS X is creating serious security risks for businesses that use it to interact with a popular form of centralized networks. People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    I don't know the ins and outs of LDAP

    But to me, any system of any security should assume that the client is compromised by design.

    If the client fails to authenticate a password, what the hell is the server supposed to do?

    (For the record, I own both a Mac and a PC desktop. Makes no difference to me that this is an Apple issue, a vulnerability in the *client* should not open all the keys to the kingdom of the server.)

    1. Anonymous Coward
      Anonymous Coward

      It seems

      what is happening is this:

      * a user logs in using a valid username/password

      * the username/password is authenticated against the LDAP server which says yay or nay

      * then, the user requests access to some other resource that requires LDAP authentication

      * at this point OSX Lion doesn't bother requesting that the LDAP server authenticate the credentials given.

      This means anything with client-side LDAP authentication is wide open. As OpenLDAP server by default allows at least read only access to most of the tree that probably means most of the directory is available for perusing... but then any sysadmin worth their salt should have locked down access to the directory.

      1. JSHello

        The still don't make sense.

        Where is this credentials come from?

        "* at this point OSX Lion doesn't bother requesting that the LDAP server authenticate the credentials given."

        1. Anonymous Coward
          Anonymous Coward

          Re: The still don't make sense.

          "Where is this credentials come from?"

          I imagine that Mac OS X just re-uses the authentication token for the user who actually authenticated, regardless of whoever is supposed to be performing the operation.

      2. Anonymous Coward
        WTF?

        From what you're telling, failure is somewhere else

        ... the user requests access to some other resource that requires authentication...

        Well duh, it is the job of that resource to ask the LDAP server and NOT the client to confirm the user has been authenticated/authorized for that access. The way this has been described it seems the problem is with LDAP as a security framework and not with the way MacOS is using it.

    2. Homard
      FAIL

      Have to agree with you

      A server should always authenticate the user, regardless.

      Any other design, as the article shows is stupid, and insecure.

      How many times has this happened in the past ? LOTS. Why has the lesson not been learnt ?

      I can only say FAIL.

    3. Stupidscript

      Bigger Problem Than You Think

      This particular issue has nothing to do with the nature of LDAP and everything to do with Lion's problems within such a system.

      The problem is that Lion is not requesting ANY authentication of the password. You can use any valid user name, and ANY password. Doesn't have to be a valid password, or even a password included in the system.

      That's a pretty big problem for Apple, and no problem at all for LDAP.

  2. Anonymous Coward
    WTF?

    Open Directory

    Open Directory is NOT a Microsoft product. It's an Apple product. Microsoft's is Active Directory.

    1. Ed Uncle
      Thumb Down

      It's an Apple product

      Oh no it isnt.. the clue is in the 'Open'..

      Seems it's specifically NOT apple's version thats screwing up too...

      1. Anonymous Coward
        FAIL

        Yes, it is

        Open Directory is indeed Apple. You're thinking of OpenLDAP (which Open Directory uses though).

  3. Anonymous Coward
    FAIL

    Wait a second ...

    First off, let me start by saying I've zero experience of LDAP and maybe I'm misunderstanding the article, but ...

    Isn't the real story here that LDAP is completely ineffectual as a security mechanism? It should be the server which authenticates the client, not the client itself. This doesn't seem to be a bug in OSX from the way it's described, instead it seems to be a fatal flaw in LDAP.

    Or, is it in fact saying that _servers_ are running OSX? Certainly a lot of the article implies that it's the OSX client which is at fault.

    1. Cabbit

      Cabbit

      The problem is on a openldap server on linux and solaris, We have not tried a Mac OSX openldap server.

    2. ThomH

      No, doesn't sounds like that

      My reading was that LDAP is used as the login mechanism for machines; if you can supply suitable credentials then you can get to a desktop. That bit all works correctly, with the LDAP server giving a verdict.

      OS X is then broken because if you get to another prompt that requires a machine password, like waking from sleep or performing a superuser operation if your user is set to have access to superuser stuff on that machine, it fails to verify with LDAP and just accepts whatever you type in. Meanwhile the user with actual credentials has already logged in, already gaining access to whatever else one keeps on an LDAP server.

  4. Jean-Luc
    Thumb Down

    Errr....

    >The are no widespread reports of problems when Lion machines log into networks that run Microsoft's Active Directory, Apple's Active Directory, or other apps that compete with LDAP.

    M$ Active Directory is an LDAP implementation. LDAP is a protocol/spec, not a product. So the article is really not clear what OS X is failing at working with - LDAP in general, or a particular vendor's implementation of LDAP?

    >Apple still hasn't admitted there's any problem.

    Come on, Apple. We've gone through this before, with MacDefender. Earn your keep.

    1. Craig Foster
      Boffin

      'LDAP' vuln. should not include MS or Apple sites

      Apple OpenDirectory and Microsoft Active Directory use Kerberos. LDAP lookups in a Golden Triangle setup (the "Apple Way") only use LDAP authentication between the OD Server doing the authorisation and augmented records and the AD servers doing password authentication.

      Any ACTC could tell you that.

      LDAP *should* only concern those not using a Kerberos-based system, namely authentication against a vanilla LDAP directory.

  5. Matt Bryant Silver badge
    Happy

    ".....but enterprises should think twice before deploying large fleets of them,,,,"

    Shirley not much chance of that happening?

    1. Anonymous Coward
      Anonymous Coward

      I wouldn't count on it...

      ... I work for a PLC, and our CEO is a total Mac / Iphone / Ipad addict. It's taken me several years of damned hard work to stop him rolling out Macs, Iphones and Ipads to all staff. The only thing that's managed to keep them out is when he's been adamant we have to switch throughout I've insisted on doing a penetration test on his gear. I tell him to assume I've broken into his car, and taken his Mactop, iphone and ipad (which he's always bought on impulse when visiting the apple store), and I've always managed to get his passwords, his bank and other stuff I shouldn't be able to get. The problem is he (like many other mac users) believe that macs are secure by default, without any of those Windoze issues. Therefore, he does nothing to secure his machines, to the point of not letting me secure them, but then why would he, Macs are secure by default!!!.

      Apparently we'll save a fortune on IT admin costs if we switch, but it's all based on him not understanding that most of IT's admin costs is on security, and us being able to prove via system monitoring, logging and auditing, that we havent been compromised. There really are some colourful board meetings about this.

      No doubt I'll be in undated with unix admins telling me how secure macs are if I properly rolled them out, but, in his eyes, replacing everything with macs = get rid of the IT dept and make huge savings, therefore nothing would be properly secured, because as all mac users know, they are secure by default :)

      1. Jim Morrow
        Paris Hilton

        more input and clue required

        > I've always managed to get his passwords, his bank and other stuff I shouldn't be able to get.

        this is only to be expected if you have physical access to the device and it's protected by a weak password. just boot in single user mode. job done! whether it's a mac or some other platform makes no fucking difference.

        btw, if your ceo really is that stupid, you need to report his negligence and/or wilful blindness to the plc's board. don't forget to pick up your p45!

        your ceo is right however that getting rid of any windoze kit will save the company money: just think of the zillions of hours that won't be wasted on daily or weekly reboots of all the desktops and stupid calls to it support.

        paris icon because she can be easily opened up.

        1. Tomato42
          Alien

          physical access

          He could have physical access to my laptop and he wouldn't be able to get my passwords, certificates and private data out of it

          no, my disk isn't encrypted, only the important bits are, using strong passwords, that's more than enough for any non-organized attacker (which would use rubber-hose cryptanalysis anyway)

          If you have company data on your machine == you have to encrypt whole drive, end of story.

          Windows doesn't use your password to encrypt WiFi keys, it uses machine key, saved on the disk, that can be read using free applications

          1. Anonymous Coward
            Anonymous Coward

            Thankyou...

            ... for predictably confirming my point. I love El-Reg comment forms :)

            For the record, my CEO went out, purchased a Mactop, and iphone for him and the board members (did I say he was impulsive) and then set them all up with @mac.com accounts to use. Simply because it was so simple for him to do. He (and the other board members) then contacted their contacts using MacMail and their @mac.com accounts and proceeded to perform the company business for some weeks. It was only a couple of weeks later I found out about this, because one of the directors asked me how he could continue to receive his Exchange mail on his new system.

            If one of your directors contacted all his business associates, and said "hey this is my home phone number, call me on that instead of the office number" how would your strong passwords help you then?

            1. AndrewG
              Unhappy

              I Feel your pain

              Having spent two years watching my companies Executive happily pushing for iPhones connected to the company exchange environment (because apparently Blackberries aren't cool at CEO gabfests) and watching so many reports go up to the board about why exactly its a bad idea, I just feel like I'm on the treadmill to security hell.

              1. AdamChew

                And losing a job

                Looks like many of the posts here are from people promoting windoze.

                Yes with the Mac in the system many of you here will be collecting your monthly dole cheque from the govt.

                There is nothing like fear especially the fear of losing a cosy job..

        2. Anonymous Coward
          Thumb Down

          Silly

          Silly post from someone with zero experience of enterprise environment.

      2. Anonymous Coward
        FAIL

        same as us

        we have the same issue with our CEO, a right tool he is, it would cost us a FORTUNE and you too if you were stupid enough to switch over to MAC. Our UNIX admins actually hate MAC's as much as we do!

      3. Anonymous Coward
        Pint

        Your CEO needs sacking

        People like that only ever properly learn what security really means when it's too late. Like when the company folds because it's most important info has been nicked from a penetrated network, it's business critical systems destroyed, it's customers lost to competitors. What price is well thought out IT in comparison? Cheap! If he's too stupid to realise he isn't an expert then he shouldn't have his oh so important and responsible job.

        Pint because it sounds like you need one.

        1. Anonymous Coward
          Anonymous Coward

          Hard to sack the guy...

          ... as he's the majority shareholder :)

          What makes it hard for me, is he views IT infrastructure, the same way he views his home network. On impulse he goes out and buys all the latest gear from the apple store (I'm not kidding, he'll go out and buy 10K's worth of Mac gear, because the salesman told him so). I then go round to his (titanic sized) house and he shows me all the gear, he set up himself in about 10 minutes, that lets him, his kids, wife, wifes kids, friends of kids, pets access his home network, not to mention his HomeBrick™. And apprently the fact that everyone and their dog can turn the kitchen lights on and off is a good thing.

          The only thing keeping me in a job is I sent all the board directors some Mercedes logo'd USB sticks in the post, with a fake Mercedes covering letter thanking them for their custom, and pointing to a (fake) website offering some great service deals. I then turned up a week later at the board meeting with numerous passwords in hand, pointing out I could have been a competitor, oh and look at the emails I managed to print out!

          It's frustrating. My employer is a PR company. I regularly point out, that as a PR company, it's our job to promote, exaggerate and lie about the products we're promoting, in order to make sales. The board agrees with me about this point. However when I point out that the marketing departments for any product we buy, have exactly the same mandate, therefore we should take anything a salesman says with a pinch of salt, I instantly become a heretic, simply because (i'm told) our competitors believe the same salesmen, therefore they are right, and I'm wrong.

          As someone else pointed out above, my only option to point out the facts, and collect my P45. But I have a mortgage, children, a nice big sports car and holiday home and we're in the middle of a recession, so, I think I'll stay put, and keep sending the bosses "free gifts" in the post.

          1. bazza Silver badge
            Pint

            @Dibbley: El Reg, immediate action needed

            Come on El Reg, this is a desparate situation. We need to get this hard pressed person an icon with several pints and a stiff whisky to follow. An icon with a single solitary pint is no where near enough. This is clearly a dedicated professional with a lot on their plate.

            It sounds like you're the only one standing between your CEO / majority stock holder and ruin. Good luck!

      4. Shades

        Some writers...

        ...Here on El Reg don't help matters by perpetuating myths either...

        "Macs may be an excellent choice for individuals looking for a machine that's resistant to malware attacks"

      5. Paul Crawford Silver badge

        @I wouldn't count on it...

        (1) Macs (and of course Linux) have far, far, less malware out there, as Windows has something like 99.95% of everything and a production rate of around 5k per day[*]. Hence AV that relies predominantly on daily signature updates still leaves a significant exposure.

        BUT on the other side of the equation you have:

        (2) The fanbois who fail to see that small != zero and no matter what you use it is still going to be vulnerable, either by implementation flaw or Trojan.

        (3) An apparent attitude problem of Apple to ignore or de-prioritise security issues that arise, more so the apparent lack of interest in enterprise support.

        I suspect that moving from Windows to Mac would make security better overall, but ONLY if you apply (and maintain) good IT policies. Seeing it as an excuse to cut IT support and let users have admin rights is going to be a massive FAIL in my humble opinion.

        [*] Based on the GData report covered here http://www.theregister.co.uk/2010/09/13/malware_threat_lanscape/ and assuming the 1M new Windows viruses are produced at an even rate over the 1st half of 2010.

  6. Syntax Error

    Curious

    This is a very strange problem. Seems like a problem of the protocol not OSX. Wonder what happens on an Active Directory network?

  7. Llama-made
    FAIL

    Not a protocol issue!

    This is not a protocol failure: the issue is that the OS X LDAP client allows a user to login no matter what password has been used.

    Active Directory requires a client that works properly too. It's perfectly possible to write a GINA or Authentication Provider that allows a user to login with the wrong password, even if the Windows box is joined to a domain. The user won't get access to Windows file shares if they do, because they won't have a valid Kerberos ticket, but they'll be logged into the local machine just fine. Fortunately Microsoft does not supply such a pointless authentication provider with the OS. Unlike Apple.

    This is just a massive cock-up by Apple.

  8. Anonymous Coward
    Mushroom

    LIES ALL LIES

    LION WAS GRANTED ONTO US BY SAINT STEVE ITS PERFECT !!!!!!!!!!!!

  9. Alan Denman

    Its not the device!

    I bet Steve Jobs says 'Apple devices do not screw up a person's security' .

    Just like he said "Apple devices do not track a person's location,"

    He's right cause he craftily meant "Its our software doing it you". Keep em stupid Steve.

  10. Anonymous Coward
    Anonymous Coward

    Client allow access??????

    It is never the client that grant access, it is always the server. Any claim of any other behavior show the name of an ignorant moron. It is always the server that grant access to a resource. Plain and simple.

    It is not possible to code a client that gives access without Active Directory allows it to. It allways gives access based on successful authentication enforcing privileges and authorization.

    Every other claim is ignorant and moronic.

    /H

  11. Anonymous Coward
    Anonymous Coward

    It is always the server!!!

    Anyone that belive it is the client that grant access to a resource is an ignorant moron. It is always the server that grant access, never the client.

    Active Directory grants access based on successful authentication and access restrictions. It is NEVER up to the client .

    If you decide to install an insecure Gina on your windows servers allowing no password it up to you. It has nothing to do with the client. It is always up to the server to grant access.

    /H

    1. Anonymous Coward
      FAIL

      Client data is what is compromised

      It is the client data, meant to be protected via Ldap authentication, that is compromised.

      The client needs to process a failed authentication. It is NOT always about the server.

      Eg user say in admin group logs in via ldap with right password.

      Mac os sees successful auth, and grants admin rights.

      Users walks away, logs out

      Another user comes along, logs in as user1 with bad password.

      Lion ignores failed authentication.

      Welcome to Lion, Stranger. You have local admin rights. What would you like to do on this client?

      1. LordBrian

        Really !?!?

        So on your summary this should work on any LDAP server, it doesn't.

        It affects Lion's OpenLDAP not other versions of LDAP running on Lion Server so the problem remains with the server NOT the client.

  12. durandal
    Coat

    Just allow access

    It's not that big of a deal

    1. Anonymous Coward
      Black Helicopters

      Can I borrow your laptop steve?

      Someone should try this on Jobs's laptop, What a scoop that'll be - iPhone 5, iPhone 6

      iAvatar, iDrone, iAssistant..

      iMe...

    2. Matt Bryant Silver badge
      Devil

      RE: Just allow access

      Actually, this is great news for BOFHs. It provides an excellent way to get rid of those lusers in your company that insist on using Jesustops instead of proper, secure, company laptop builds. All you do is wait for them to go to lunch, then log into their Mactop, exploit the LDAP flaw to gain access to something above their paygrade, then "catch" them later with your amazing security skillz! Not only do you get rid of the cretin, you also make yourself look like a top-noth security guru that can detect and contain those unaithorised accesses. It's highly unlikely the luser will have a clue about the LDAP bug and will be unable to defend themselves, all the "evidence" will make it look like they logged into another user's files. Thanks Steve!

  13. Arctic fox
    Windows

    Part of the problem here is scale of experience.

    Quite simply put neither Apple nor the business community in general have anywhere near the amount of experience with large networked Mac-based systems that the business community and MS (like them or loath them) have with such Windows based systems. Specifically they have not remotely the same amount of experience with such systems being attacked. IMHO that is a major contributor to this type of problem.

  14. amanfromearth
    FAIL

    Well

    "Apple's Mac has long been considered a safe haven from the malware and social engineering attacks"

    How is is supposed to make *any* difference at all against social engineering attacks?

    1. Anonymous Coward
      Joke

      amanfromearth

      "How is is supposed to make *any* difference at all against social engineering attacks?"

      Simple. Mac users don't have any friends outside of the Apple Zombie crowd.

    2. Loyal Commenter Silver badge
      Pirate

      Eh?

      Apple products ARE a social engineering attack.

  15. Mage Silver badge

    Enterprise?

    Does not compute. Macs are not for Enterprise. Even Apple agrees. It's a consumer product. Didn't they scrap their server HW product?

    1. BristolBachelor Gold badge
      Joke

      Apple server

      I thought that they didn't scrap their server product line. They just got rid of the rack-mount version with dual supplies.

      Instead, you can use the new one; it's flat, rectangular and with rounded corners.

      If you want to mount them in a rack, you can buy special (expensive) trays from 3rd parties, because we all know that it doesn't matter how you hold an iDevice, it just works :)

  16. hawleyal
    Thumb Down

    this article is merely ignorant FUD

    An LDAP client does not authenticate anything, and cannot divulge any secure information without proper credentials. The bug here is that proper credentials are authenticated by the server, and the client merely uses these credentials forever afterward, regardless of new (possibly invalid) credentials supplied. there is no security hole in the LDAP service. The client is just incorrectly permanently storing and using old credentials.

    I repeat. Secure information is not being divulged to anonymous or arbitrary users.

    This article mistates the problem, severity, and risk. I would venture this borders on irresponsible dissemination of incorrect information.

    1. Tom 13

      No, the problem is in the OS.

      The article is clearly indicating a prior legitimate access to the LDAP is occurring, so the server is doing its job. I suspect the OS is cache the LDAP credentials and resupplying them for the next authentication. And the problem is that means if another user comes by and attempts to re-authenticate to the server, his credentials aren't checked, just the working ones.

    2. Anonymous Coward
      FAIL

      Re: this article is merely ignorant FUD

      This was almost a good summary of what the article should have said more clearly (or at all), but then...

      "I repeat. Secure information is not being divulged to anonymous or arbitrary users."

      So let's log into your account on some machine or other and peruse all that non-privileged information. It's not about getting people's passwords, you know.

      "FUD, waaah!" - the rhetorical warcry of last resort.

  17. Alienrat
    Devil

    Lack of effort?

    I have Mac and Windows machines. Some jobs are better done by one or other of the machines. If I was a CEO and some of my IT staff came to me with some of these complaints, I think i would be ringing up the agencies.

    IT network staff rarely seem to get it is their job to support the users, most I have had the pleasure to work with thought it was the other way round. If my staff needed to use Macs to do their job, or windows, it is the job of the IT staff to make that work. Don't come to me and say it is impossible, come to me and tell me what you need to make it work - if they are so insecure we can't use this or that system, or even have to be disconnected fine, tell me that, or if you can't work out how to do it, fine, help me interview people who can. Just don't sit around whinging it is too hard and it can't be done because you don't know how to do it as you only understand windows.

    1. Stupidscript
      Thumb Down

      New to the Enterprise, are you?

      If all IT had to worry about was getting the right tool for the job at hand, that would be one thing. But that's not the problem, here.

      If IT staff are allowed to do their jobs, which is to define the enterprise needs and satisfy them with the safest, most cost-effective gear and protocols, then that would be one thing.

      But this story is about a CEO with no IT experience deciding on a whim that his entire enterprise should be run on devices that you can break into with a stick. The CEO is over-ruling the IT department's expertise because of his newly-acquired fanboi status.

      And you want the CEO to win that fight. Silly Alienrat. Obviously you have no responsibilities for a network of any size. If you did, you should be fired. Just because the CEO thinks some piece of gear is cool does in no way make that piece of gear suitable for the task, or for the environment.

      Most CEOs are stupid people who got where they are because they know how to suck up, not because of their enterprise computing experience. Stupid CEO decisions cost companies millions of dollars every day.

      In this case, if the CEO were to be allowed to dictate what his IT department is tasked with supporting, then the CEO would be responsible for his company's network becoming compromised and possibly leaking his company's most sensitive data to some rival, leading to the destruction of the company.

      And you can be sure that the IT department would get the blame.

      Try and do the job before you mock someone who actually does the job, Alienrat.

      1. Alienrat
        IT Angle

        Far from new, but not arrogant enough for IT

        If you are working in a company where the CEO has decided he wants a mac, and you need to satisfy that need with the cheapest, safest kit available, and this CEO is as you say, clueless based on what he knows, then surely that job is to provide him with a mac . Why would he need access to anything? Why would he need access to this companies sensitive data? that is made by other people, not him. He wants to email powerpoints to other people and receive reports, and be told when his meetings are - he needs LDAP access to exactly nothing, so I am not sure how this vunerabilty matters.

        No, I don't do IT, I am one of those little people making the important company data that is worth stealing. I have only seen that behaviour in a small company. MD brought in some laptop, we just told him it couldn't connect to the network as it wasn't compatible and set up his hotmail account. Job done.

        In my most recent experience of large networks as a user, the policies they were bringing in meant that i had to spend a large amount of my working week working around them to be able to do the job I was paid to do. And I was not in a unique position. If you think that improves security, I may not be the silly one.

        I don't need to do the job to know that that is wrong, any more than I need to be a plumber to know that I shouldn't have to take a bucket to the toilet to flush it.

  18. 2cent

    Apple, patently swayed

    The problem looks like, with all the lawyer talk, they forgot what business their in.

    Too busy to check on your own OS, just release and wait on on somebody to tell you "hey, this is wrong".

    Admittedly, I'm used to Microsoft with this line of thinking. Perhaps the music will stop long enough to find out who's sitting in which chair, but that won't happen till the money runs out.

    Of course, Apple will tell you "We're not in the server business", but they do admit to having there head in the clouds.

  19. Anonymous Coward
    Trollface

    NEW: It is a feature !!

    Passwords are confusing anyhow..and hackers seem to always guess it, even though you pick something really tricky like, 'love', or 'god', or 'mom'..or even 'hipster'. Apple fixed it !!

  20. energonic

    Caching?

    It is not clear from comments so far but it sounds like the security problem is that a client user logs in to a server session with legitimate credentials and some time later a user who doesn't know those credentials uses the same session. Or is it a different session, that uses cached credentials?

    If the former, this is a client-side security problem for any client-server system and it is not something the server can do much about. Perhaps a session timeout would help in some cases, but it would be intrusive. On the client it is mostly about physical security.

    If the latter, then the client software is remiss in reusing the cached credentials unprompted for a new session. Sounds relatively easy to fix.

This topic is closed for new posts.

Other stories you might like