Print

Print


So I took a look at IT-DISCUSS and couldn't find a thread mentioning this, but there is a major security hole in OS X Lion (and still in 10.7.1).

It basically lets you log in with any password on any Lion machine connected to our LDAP authentication at UVM as long as you know a person's netID. (Not very hard as we publish everyone's netids on our website). While I don't think this compromises our LDAP information (does it?) it gives access to any network user on any Lion machine.

http://www.tuaw.com/2011/08/29/os-x-lion-accepts-any-ldap-password-creates-enterprise-network/

http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html

I've validated that a simple 10.6.8 to 10.7.1 upgrade from an existing LDAP authenticated system creates this problem.

One temp mitigation (per the second article above) is to limit access to dcsl  (sudo chmod 100 /usr/bin/dscl) but I haven't validated that yet.

Some on the internet have said the problem is fixed if you pull your existing LDAP configuration and add a new one. I haven't figured out how to actually get a new LDAP config to work with UVM's servers in Lion. Any help would be most appreciated.

Just thought I'd send out the info . . .

All the best,
Walker Blackwell