Latest Tech News - LDAP flaw in OS X Lion opens major authentication security hole
Results 1 to 1 of 1
  1. #1
    SuperMod
    vis~as's Avatar
    Member InfoShowcaseActivity StatusThanks / Tagging Info
    join date|Join Date
    Sep 2006
    post count|Posts
    8,928
    reputation|Rep Power
    249

    Latest Tech News - LDAP flaw in OS X Lion opens major authentication security hole

    Apparently a major security hole has been found in OS X Lion systems that are set up to accept authentication through LDAP servers, where users may be allowed to log in to the system without providing a password. For networked systems that uses LDAP-based authentication for managing users and restricting network resources, this may be a fairly severe security risk.

    Lightweight Directory Access Protocol (LDAP) is a technology that handles access to directory services on a network, with one of its uses being to deploy network user accounts to PCs on a network. The technology is extensively deployed by IT departments to offer access control for users and groups on the network.

    With the current problem, on a network that uses an LDAP server, once a user logs into an OS X Lion system that is bound to the LDAP server, then the system will successfully log in when any other username is used, even if no password is provided. Some people are claiming that once the system is logged in then even usernames that do not exist can be used to authenticate the system.

    MacRumors forum member "monachus" writes:

    [This problem is not just with] blank passwords--any login. I logged in with a username that doesn't exist anywhere, and it took it without hesitation. It complained that the home directory wasn't in the normal place, but I was logged in. The whole thing is terrible.
    According to the German tech site heise.de, Apple has been informed of the problem and should be looking into it (others noting the problem have also contacted Apple to notify it about the bug), but so far Apple has only released one update for Lion and the problem has not been addressed in it. OS X 10.7.2 is due out very soon, and hopefully Apple will tackle this issue in that update.

    This problem is a fairly severe vulnerability for LDAP authenticated systems, and as a result Apple will likely address it quickly; however, until then systems that use LDAP may be vulnerable. Therefore, for now, if your network uses LDAP authentication, we advise you either unbind your OS X Lion systems or downgrade them toSnow Leopard by restoring them to a backup, until a patch is released.

    If you cannot downgrade or unbind your system from the LDAP server, then depending on how your system is configured and used, you may be able to avoid this issue by rebooting your system after you are done using it, instead of merely logging out. Doing this will prevent others from logging it at the log-in screen, but will not prevent someone with access from logging out and switching accounts.

    This problem appears to only affect LDAP-bound systems, so if your system is not connected to a central authentication server (which has to be explicitly done by an IT administrator) then you should not be concerned with this problem. As a result, OS X systems purchased off the shelf will not be affected by this issue, so your Mac at home running OS X Lion will be safe from this vulnerability.


    Questions? Comments? Have a fix? Post them below or e-mail us!
    Be sure to check us out on Twitter and the CNET Mac forums.






    Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement | WordPress Tutorials

  2. # 1a
    India
    Latest Tech News - LDAP flaw in OS X Lion opens major authentication security hole

    Join Date
    Jan 2009
    Posts
    192
     

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Latest Tech News - Security insider discusses Vista's level of security
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 1
    Last Post: 26th April 2012, 13:45
  2. Latest Tech News - Security flaw found in feds' digital radios
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 10th August 2011, 08:53
  3. Latest Tech News - 10-year-old hacker finds zero-day flaw in games
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 7th August 2011, 12:24
  4. Latest Tech News - Apple delivers iOS 4.3.4 to patch jailbreak hole
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 15th July 2011, 19:29
  5. Latest Tech News - MacBook Air, OS X Lion due next week?
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 8th July 2011, 04:51

User Tag List

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •