[Mac_crypto] CERT/CC Vulnerability Note VU#467828

R. A. Hettinga mac_crypto@vmeng.com
Sun, 8 Jun 2003 01:22:44 -0400

--- begin forwarded text

Status:  U
Date: Sun, 8 Jun 2003 00:27:46 -0400
To: undisclosed-recipient:;
From: Monty Solomon <monty@roscom.com>
Subject: CERT/CC Vulnerability Note VU#467828

Vulnerability Note VU#467828

Mac OS X LDAP plugins transmit user credentials in clear text

Versions 10.2 and later of Apple's MacOS X operating system include 
support for the Lightweight Directory Access Protocol (LDAP). A 
vulnerability in the way some of these versions of MacOS X handle 
authentication in certain environments could expose user's passwords 
in plaintext as they're transmitted across the network.

I. Description
Client systems using Kerberos login passwords and integration with an 
LDAP server may inadvertently send the account password over the 
network to the LDAP server in clear text format. If the 
"authentication authority" attribute is not set on the LDAP server, 
the loginwindow application will try to authenticate the account to 
the configured LDAP server. After trying to authenticate the user 
with an encrypted password, the loginwindow application falls back to 
trying a Bind using an AuthenticationChoice of simple on the server. 
This fallback action causes the account password to be transmitted 
over the network in clear text.

This vulnerability is exposed strictly in an environment where 
clients are configured to use Kerberos for authentication and LDAP 
for lookup of other user records. This configuration is not the 
default for MacOS X, but is commonly recommended and used for 
environments with a large userbase.



--- end forwarded text

R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'