Apple's latest version of Mac OS X is creating serious security risks for businesses that use it to interact with a popular form of centralized networks. People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP …
I don't know the ins and outs of LDAP
But to me, any system of any security should assume that the client is compromised by design.
If the client fails to authenticate a password, what the hell is the server supposed to do?
(For the record, I own both a Mac and a PC desktop. Makes no difference to me that this is an Apple issue, a vulnerability in the *client* should not open all the keys to the kingdom of the server.)
what is happening is this:
* a user logs in using a valid username/password
* the username/password is authenticated against the LDAP server which says yay or nay
* then, the user requests access to some other resource that requires LDAP authentication
* at this point OSX Lion doesn't bother requesting that the LDAP server authenticate the credentials given.
This means anything with client-side LDAP authentication is wide open. As OpenLDAP server by default allows at least read only access to most of the tree that probably means most of the directory is available for perusing... but then any sysadmin worth their salt should have locked down access to the directory.
The still don't make sense.
Where is this credentials come from?
"* at this point OSX Lion doesn't bother requesting that the LDAP server authenticate the credentials given."
Have to agree with you
A server should always authenticate the user, regardless.
Any other design, as the article shows is stupid, and insecure.
How many times has this happened in the past ? LOTS. Why has the lesson not been learnt ?
I can only say FAIL.
Re: The still don't make sense.
"Where is this credentials come from?"
I imagine that Mac OS X just re-uses the authentication token for the user who actually authenticated, regardless of whoever is supposed to be performing the operation.
From what you're telling, failure is somewhere else
... the user requests access to some other resource that requires authentication...
Well duh, it is the job of that resource to ask the LDAP server and NOT the client to confirm the user has been authenticated/authorized for that access. The way this has been described it seems the problem is with LDAP as a security framework and not with the way MacOS is using it.
Bigger Problem Than You Think
This particular issue has nothing to do with the nature of LDAP and everything to do with Lion's problems within such a system.
The problem is that Lion is not requesting ANY authentication of the password. You can use any valid user name, and ANY password. Doesn't have to be a valid password, or even a password included in the system.
That's a pretty big problem for Apple, and no problem at all for LDAP.
Open Directory is NOT a Microsoft product. It's an Apple product. Microsoft's is Active Directory.
It's an Apple product
Oh no it isnt.. the clue is in the 'Open'..
Seems it's specifically NOT apple's version thats screwing up too...
Yes, it is
Open Directory is indeed Apple. You're thinking of OpenLDAP (which Open Directory uses though).
Wait a second ...
First off, let me start by saying I've zero experience of LDAP and maybe I'm misunderstanding the article, but ...
Isn't the real story here that LDAP is completely ineffectual as a security mechanism? It should be the server which authenticates the client, not the client itself. This doesn't seem to be a bug in OSX from the way it's described, instead it seems to be a fatal flaw in LDAP.
Or, is it in fact saying that _servers_ are running OSX? Certainly a lot of the article implies that it's the OSX client which is at fault.
The problem is on a openldap server on linux and solaris, We have not tried a Mac OSX openldap server.
No, doesn't sounds like that
My reading was that LDAP is used as the login mechanism for machines; if you can supply suitable credentials then you can get to a desktop. That bit all works correctly, with the LDAP server giving a verdict.
OS X is then broken because if you get to another prompt that requires a machine password, like waking from sleep or performing a superuser operation if your user is set to have access to superuser stuff on that machine, it fails to verify with LDAP and just accepts whatever you type in. Meanwhile the user with actual credentials has already logged in, already gaining access to whatever else one keeps on an LDAP server.
>The are no widespread reports of problems when Lion machines log into networks that run Microsoft's Active Directory, Apple's Active Directory, or other apps that compete with LDAP.
M$ Active Directory is an LDAP implementation. LDAP is a protocol/spec, not a product. So the article is really not clear what OS X is failing at working with - LDAP in general, or a particular vendor's implementation of LDAP?
>Apple still hasn't admitted there's any problem.
Come on, Apple. We've gone through this before, with MacDefender. Earn your keep.
'LDAP' vuln. should not include MS or Apple sites
Apple OpenDirectory and Microsoft Active Directory use Kerberos. LDAP lookups in a Golden Triangle setup (the "Apple Way") only use LDAP authentication between the OD Server doing the authorisation and augmented records and the AD servers doing password authentication.
Any ACTC could tell you that.
LDAP *should* only concern those not using a Kerberos-based system, namely authentication against a vanilla LDAP directory.
".....but enterprises should think twice before deploying large fleets of them,,,,"
Shirley not much chance of that happening?
I wouldn't count on it...
... I work for a PLC, and our CEO is a total Mac / Iphone / Ipad addict. It's taken me several years of damned hard work to stop him rolling out Macs, Iphones and Ipads to all staff. The only thing that's managed to keep them out is when he's been adamant we have to switch throughout I've insisted on doing a penetration test on his gear. I tell him to assume I've broken into his car, and taken his Mactop, iphone and ipad (which he's always bought on impulse when visiting the apple store), and I've always managed to get his passwords, his bank and other stuff I shouldn't be able to get. The problem is he (like many other mac users) believe that macs are secure by default, without any of those Windoze issues. Therefore, he does nothing to secure his machines, to the point of not letting me secure them, but then why would he, Macs are secure by default!!!.
Apparently we'll save a fortune on IT admin costs if we switch, but it's all based on him not understanding that most of IT's admin costs is on security, and us being able to prove via system monitoring, logging and auditing, that we havent been compromised. There really are some colourful board meetings about this.
No doubt I'll be in undated with unix admins telling me how secure macs are if I properly rolled them out, but, in his eyes, replacing everything with macs = get rid of the IT dept and make huge savings, therefore nothing would be properly secured, because as all mac users know, they are secure by default :)
more input and clue required
> I've always managed to get his passwords, his bank and other stuff I shouldn't be able to get.
this is only to be expected if you have physical access to the device and it's protected by a weak password. just boot in single user mode. job done! whether it's a mac or some other platform makes no fucking difference.
btw, if your ceo really is that stupid, you need to report his negligence and/or wilful blindness to the plc's board. don't forget to pick up your p45!
your ceo is right however that getting rid of any windoze kit will save the company money: just think of the zillions of hours that won't be wasted on daily or weekly reboots of all the desktops and stupid calls to it support.
paris icon because she can be easily opened up.
same as us
we have the same issue with our CEO, a right tool he is, it would cost us a FORTUNE and you too if you were stupid enough to switch over to MAC. Our UNIX admins actually hate MAC's as much as we do!
Your CEO needs sacking
People like that only ever properly learn what security really means when it's too late. Like when the company folds because it's most important info has been nicked from a penetrated network, it's business critical systems destroyed, it's customers lost to competitors. What price is well thought out IT in comparison? Cheap! If he's too stupid to realise he isn't an expert then he shouldn't have his oh so important and responsible job.
Pint because it sounds like you need one.
He could have physical access to my laptop and he wouldn't be able to get my passwords, certificates and private data out of it
no, my disk isn't encrypted, only the important bits are, using strong passwords, that's more than enough for any non-organized attacker (which would use rubber-hose cryptanalysis anyway)
If you have company data on your machine == you have to encrypt whole drive, end of story.
Windows doesn't use your password to encrypt WiFi keys, it uses machine key, saved on the disk, that can be read using free applications
...Here on El Reg don't help matters by perpetuating myths either...
"Macs may be an excellent choice for individuals looking for a machine that's resistant to malware attacks"
Hard to sack the guy...
... as he's the majority shareholder :)
What makes it hard for me, is he views IT infrastructure, the same way he views his home network. On impulse he goes out and buys all the latest gear from the apple store (I'm not kidding, he'll go out and buy 10K's worth of Mac gear, because the salesman told him so). I then go round to his (titanic sized) house and he shows me all the gear, he set up himself in about 10 minutes, that lets him, his kids, wife, wifes kids, friends of kids, pets access his home network, not to mention his HomeBrick™. And apprently the fact that everyone and their dog can turn the kitchen lights on and off is a good thing.
The only thing keeping me in a job is I sent all the board directors some Mercedes logo'd USB sticks in the post, with a fake Mercedes covering letter thanking them for their custom, and pointing to a (fake) website offering some great service deals. I then turned up a week later at the board meeting with numerous passwords in hand, pointing out I could have been a competitor, oh and look at the emails I managed to print out!
It's frustrating. My employer is a PR company. I regularly point out, that as a PR company, it's our job to promote, exaggerate and lie about the products we're promoting, in order to make sales. The board agrees with me about this point. However when I point out that the marketing departments for any product we buy, have exactly the same mandate, therefore we should take anything a salesman says with a pinch of salt, I instantly become a heretic, simply because (i'm told) our competitors believe the same salesmen, therefore they are right, and I'm wrong.
As someone else pointed out above, my only option to point out the facts, and collect my P45. But I have a mortgage, children, a nice big sports car and holiday home and we're in the middle of a recession, so, I think I'll stay put, and keep sending the bosses "free gifts" in the post.
... for predictably confirming my point. I love El-Reg comment forms :)
For the record, my CEO went out, purchased a Mactop, and iphone for him and the board members (did I say he was impulsive) and then set them all up with @mac.com accounts to use. Simply because it was so simple for him to do. He (and the other board members) then contacted their contacts using MacMail and their @mac.com accounts and proceeded to perform the company business for some weeks. It was only a couple of weeks later I found out about this, because one of the directors asked me how he could continue to receive his Exchange mail on his new system.
If one of your directors contacted all his business associates, and said "hey this is my home phone number, call me on that instead of the office number" how would your strong passwords help you then?
I Feel your pain
Having spent two years watching my companies Executive happily pushing for iPhones connected to the company exchange environment (because apparently Blackberries aren't cool at CEO gabfests) and watching so many reports go up to the board about why exactly its a bad idea, I just feel like I'm on the treadmill to security hell.
@Dibbley: El Reg, immediate action needed
Come on El Reg, this is a desparate situation. We need to get this hard pressed person an icon with several pints and a stiff whisky to follow. An icon with a single solitary pint is no where near enough. This is clearly a dedicated professional with a lot on their plate.
It sounds like you're the only one standing between your CEO / majority stock holder and ruin. Good luck!
And losing a job
Looks like many of the posts here are from people promoting windoze.
Yes with the Mac in the system many of you here will be collecting your monthly dole cheque from the govt.
There is nothing like fear especially the fear of losing a cosy job..
Silly post from someone with zero experience of enterprise environment.
@I wouldn't count on it...
(1) Macs (and of course Linux) have far, far, less malware out there, as Windows has something like 99.95% of everything and a production rate of around 5k per day[*]. Hence AV that relies predominantly on daily signature updates still leaves a significant exposure.
BUT on the other side of the equation you have:
(2) The fanbois who fail to see that small != zero and no matter what you use it is still going to be vulnerable, either by implementation flaw or Trojan.
(3) An apparent attitude problem of Apple to ignore or de-prioritise security issues that arise, more so the apparent lack of interest in enterprise support.
I suspect that moving from Windows to Mac would make security better overall, but ONLY if you apply (and maintain) good IT policies. Seeing it as an excuse to cut IT support and let users have admin rights is going to be a massive FAIL in my humble opinion.
[*] Based on the GData report covered here http://www.theregister.co.uk/2010/09/13/malware_threat_lanscape/ and assuming the 1M new Windows viruses are produced at an even rate over the 1st half of 2010.
This is a very strange problem. Seems like a problem of the protocol not OSX. Wonder what happens on an Active Directory network?
Not a protocol issue!
This is not a protocol failure: the issue is that the OS X LDAP client allows a user to login no matter what password has been used.
Active Directory requires a client that works properly too. It's perfectly possible to write a GINA or Authentication Provider that allows a user to login with the wrong password, even if the Windows box is joined to a domain. The user won't get access to Windows file shares if they do, because they won't have a valid Kerberos ticket, but they'll be logged into the local machine just fine. Fortunately Microsoft does not supply such a pointless authentication provider with the OS. Unlike Apple.
This is just a massive cock-up by Apple.
LIES ALL LIES
LION WAS GRANTED ONTO US BY SAINT STEVE ITS PERFECT !!!!!!!!!!!!
Its not the device!
I bet Steve Jobs says 'Apple devices do not screw up a person's security' .
Just like he said "Apple devices do not track a person's location,"
He's right cause he craftily meant "Its our software doing it you". Keep em stupid Steve.
Client allow access??????
It is never the client that grant access, it is always the server. Any claim of any other behavior show the name of an ignorant moron. It is always the server that grant access to a resource. Plain and simple.
It is not possible to code a client that gives access without Active Directory allows it to. It allways gives access based on successful authentication enforcing privileges and authorization.
Every other claim is ignorant and moronic.
It is always the server!!!
Anyone that belive it is the client that grant access to a resource is an ignorant moron. It is always the server that grant access, never the client.
Active Directory grants access based on successful authentication and access restrictions. It is NEVER up to the client .
If you decide to install an insecure Gina on your windows servers allowing no password it up to you. It has nothing to do with the client. It is always up to the server to grant access.
Client data is what is compromised
It is the client data, meant to be protected via Ldap authentication, that is compromised.
The client needs to process a failed authentication. It is NOT always about the server.
Eg user say in admin group logs in via ldap with right password.
Mac os sees successful auth, and grants admin rights.
Users walks away, logs out
Another user comes along, logs in as user1 with bad password.
Lion ignores failed authentication.
Welcome to Lion, Stranger. You have local admin rights. What would you like to do on this client?
So on your summary this should work on any LDAP server, it doesn't.
It affects Lion's OpenLDAP not other versions of LDAP running on Lion Server so the problem remains with the server NOT the client.
Just allow access
It's not that big of a deal
Can I borrow your laptop steve?
Someone should try this on Jobs's laptop, What a scoop that'll be - iPhone 5, iPhone 6
iAvatar, iDrone, iAssistant..
RE: Just allow access
Actually, this is great news for BOFHs. It provides an excellent way to get rid of those lusers in your company that insist on using Jesustops instead of proper, secure, company laptop builds. All you do is wait for them to go to lunch, then log into their Mactop, exploit the LDAP flaw to gain access to something above their paygrade, then "catch" them later with your amazing security skillz! Not only do you get rid of the cretin, you also make yourself look like a top-noth security guru that can detect and contain those unaithorised accesses. It's highly unlikely the luser will have a clue about the LDAP bug and will be unable to defend themselves, all the "evidence" will make it look like they logged into another user's files. Thanks Steve!
Part of the problem here is scale of experience.
Quite simply put neither Apple nor the business community in general have anywhere near the amount of experience with large networked Mac-based systems that the business community and MS (like them or loath them) have with such Windows based systems. Specifically they have not remotely the same amount of experience with such systems being attacked. IMHO that is a major contributor to this type of problem.
"Apple's Mac has long been considered a safe haven from the malware and social engineering attacks"
How is is supposed to make *any* difference at all against social engineering attacks?
"How is is supposed to make *any* difference at all against social engineering attacks?"
Simple. Mac users don't have any friends outside of the Apple Zombie crowd.
Apple products ARE a social engineering attack.
Does not compute. Macs are not for Enterprise. Even Apple agrees. It's a consumer product. Didn't they scrap their server HW product?
I thought that they didn't scrap their server product line. They just got rid of the rack-mount version with dual supplies.
Instead, you can use the new one; it's flat, rectangular and with rounded corners.
If you want to mount them in a rack, you can buy special (expensive) trays from 3rd parties, because we all know that it doesn't matter how you hold an iDevice, it just works :)
this article is merely ignorant FUD
An LDAP client does not authenticate anything, and cannot divulge any secure information without proper credentials. The bug here is that proper credentials are authenticated by the server, and the client merely uses these credentials forever afterward, regardless of new (possibly invalid) credentials supplied. there is no security hole in the LDAP service. The client is just incorrectly permanently storing and using old credentials.
I repeat. Secure information is not being divulged to anonymous or arbitrary users.
This article mistates the problem, severity, and risk. I would venture this borders on irresponsible dissemination of incorrect information.
No, the problem is in the OS.
The article is clearly indicating a prior legitimate access to the LDAP is occurring, so the server is doing its job. I suspect the OS is cache the LDAP credentials and resupplying them for the next authentication. And the problem is that means if another user comes by and attempts to re-authenticate to the server, his credentials aren't checked, just the working ones.
Re: this article is merely ignorant FUD
This was almost a good summary of what the article should have said more clearly (or at all), but then...
"I repeat. Secure information is not being divulged to anonymous or arbitrary users."
So let's log into your account on some machine or other and peruse all that non-privileged information. It's not about getting people's passwords, you know.
"FUD, waaah!" - the rhetorical warcry of last resort.
Lack of effort?
I have Mac and Windows machines. Some jobs are better done by one or other of the machines. If I was a CEO and some of my IT staff came to me with some of these complaints, I think i would be ringing up the agencies.
IT network staff rarely seem to get it is their job to support the users, most I have had the pleasure to work with thought it was the other way round. If my staff needed to use Macs to do their job, or windows, it is the job of the IT staff to make that work. Don't come to me and say it is impossible, come to me and tell me what you need to make it work - if they are so insecure we can't use this or that system, or even have to be disconnected fine, tell me that, or if you can't work out how to do it, fine, help me interview people who can. Just don't sit around whinging it is too hard and it can't be done because you don't know how to do it as you only understand windows.