[Mac_crypto] CERT/CC Vulnerability Note VU#467828
R. A. Hettinga
Sun, 8 Jun 2003 01:22:44 -0400
--- begin forwarded text
Date: Sun, 8 Jun 2003 00:27:46 -0400
From: Monty Solomon <firstname.lastname@example.org>
Subject: CERT/CC Vulnerability Note VU#467828
Vulnerability Note VU#467828
Mac OS X LDAP plugins transmit user credentials in clear text
Versions 10.2 and later of Apple's MacOS X operating system include
support for the Lightweight Directory Access Protocol (LDAP). A
vulnerability in the way some of these versions of MacOS X handle
authentication in certain environments could expose user's passwords
in plaintext as they're transmitted across the network.
Client systems using Kerberos login passwords and integration with an
LDAP server may inadvertently send the account password over the
network to the LDAP server in clear text format. If the
"authentication authority" attribute is not set on the LDAP server,
the loginwindow application will try to authenticate the account to
the configured LDAP server. After trying to authenticate the user
with an encrypted password, the loginwindow application falls back to
trying a Bind using an AuthenticationChoice of simple on the server.
This fallback action causes the account password to be transmitted
over the network in clear text.
This vulnerability is exposed strictly in an environment where
clients are configured to use Kerberos for authentication and LDAP
for lookup of other user records. This configuration is not the
default for MacOS X, but is commonly recommended and used for
environments with a large userbase.
--- end forwarded text
R. A. Hettinga <mailto: email@example.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'