Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Apple Filing Protocol Insecure Implementation

Feb 29, 2004 11:55PM PST

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote



OS: Apple Macintosh OS X




Description:
Chris Adams has reported a vulnerability in Mac OS X, which may allow malicious people to gain knowledge of sensitive data like user credentials.

The problem is that the Apple Filing Protocol (AFP) silently falls back to plain-text authentication when configured to use SSH when a remote host fails to accept SSH.

The vulnerability has been reported in Apple Macintosh OS X versions 10.2 through 10.3.2.

Solution:
Filter traffic to prevent plain text AFP traffic over insecure networks.

Use manual SSH or VPN tunnels.

Provided and/or discovered by:
Chris Adams

http://secunia.com/advisories/11012/

Discussion is locked