LDAP flaw in OS X Lion opens major authentication security hole

A new security hole has been found in OS X Lion where usernames can be authenticated without providing a password on systems bound to LDAP servers.

Apparently a major security hole has been found in OS X Lion systems that are set up to accept authentication through LDAP servers, where users may be allowed to log in to the system without providing a password. For networked systems that uses LDAP-based authentication for managing users and restricting network resources, this may be a fairly severe security risk.

Lightweight Directory Access Protocol (LDAP) is a technology that handles access to directory services on a network, with one of its uses being to deploy network user accounts to PCs on a network. The technology is extensively deployed by IT departments to offer access control for users and groups on the network.

With the current problem, on a network that uses an LDAP server, once a user logs into an OS X Lion system that is bound to the LDAP server, then the system will successfully log in when any other username is used, even if no password is provided. Some people are claiming that once the system is logged in then even usernames that do not exist can be used to authenticate the system.

MacRumors forum member "monachus" writes:

[This problem is not just with] blank passwords--any login. I logged in with a username that doesn't exist anywhere, and it took it without hesitation. It complained that the home directory wasn't in the normal place, but I was logged in. The whole thing is terrible.

According to the German tech site heise.de, Apple has been informed of the problem and should be looking into it (others noting the problem have also contacted Apple to notify it about the bug), but so far Apple has only released one update for Lion and the problem has not been addressed in it. OS X 10.7.2 is due out very soon, and hopefully Apple will tackle this issue in that update.

This problem is a fairly severe vulnerability for LDAP authenticated systems, and as a result Apple will likely address it quickly; however, until then systems that use LDAP may be vulnerable. Therefore, for now, if your network uses LDAP authentication, we advise you either unbind your OS X Lion systems or downgrade them to Snow Leopard by restoring them to a backup, until a patch is released.

If you cannot downgrade or unbind your system from the LDAP server, then depending on how your system is configured and used, you may be able to avoid this issue by rebooting your system after you are done using it, instead of merely logging out. Doing this will prevent others from logging it at the log-in screen, but will not prevent someone with access from logging out and switching accounts.

This problem appears to only affect LDAP-bound systems, so if your system is not connected to a central authentication server (which has to be explicitly done by an IT administrator) then you should not be concerned with this problem. As a result, OS X systems purchased off the shelf will not be affected by this issue, so your Mac at home running OS X Lion will be safe from this vulnerability.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments