Sophos Cloud Optix
Late last week, I was in a taxi with a business acquaintance, heading to an event at which we were both speaking.
We’re both Mac users, so in the fashion of fanbuoys-in-denial the world over, we started chatting about all things Apple. That led us to Lion, which in turn led to my chum James saying, “Have you seen the recent discussions online about LDAP network authentication on Lion clients? It’s a really handy feature – if you forget your password, you can just make one up. A real helpdesk time saver!”
This issue has been brewing in online forums for more than a month, pretty much since Lion’s release, but has now hit the news in a big way. Irrepressibly eager Register hack Dan Goodin, for example, describes it as a ‘huge hole’ threatening enterprise networks.
Unfortunately, exactly how extensive the hole is – and exactly where the fault lies, where the fix should come from, and what can be done in the meantime – isn’t terribly clear from the articles I’ve seen, including the discussions on Apple’s own forum.
Clearly, a network which grants a client computer access to network resources because of a bug on the client (or, for that matter, deliberately malicious behaviour on the client) is itself equally buggy, and dangerously insecure.
Server resources should fail closed when faced with a misbehaving client.
On the other hand, if you’re using your network authentication service to tell the client whether it should allow a user to access local resources, you rely on the correct behaviour of the authentication software on the client – just as you would if the user were logging in entirely locally.
And as far as I can make out, that’s what seems to be happening here. If you have an OS X Lion client which relies on an OpenLDAP authentication server, your Lion computer may be at risk.
If you leave your computer at the login screen, for instance, you might find that anyone else could log back in to your computer with any old username and password.
(Some of the reports in the abovementioned forums describe total lock-out, when no username or password, legitimate or otherwise, will work on their Lion clients. Others describe exactly the opposite, when it seems that any username and password will do.)
So this problem might not be quite the huge enterprise network hole Dan Goodin proclaims, but even if it isn’t, it’s still very serious.
It seems that at the very best there is a security bypass bug in OS X Lion’s local authentication.
Sadly, the one organisation which could usefully and helpfully comment on all of this just isn’t going to do so, at least not yet.
Apple’s official attitude to security, documented in its overarching knowledge base article HT1222, is a corporate Cone of Silence:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
Until Apple is good and ready, and has turned the problem into a thing of the past, you’re entirely on your own.
This is a unhelpful attitude to security by Apple, and it’s one which Apple users should keep criticising publicly until the company changes it. But it’s how Apple does business, so for now it’s simply part of the cost of having Macs in your corporate infrastructure.
Let’s hope for a silver lining. Perhaps this incident will be the one which persuades Apple to engage more closely with its many loyal fans on matters of security?
–
PS. If you’ve been affected by this bug, and can provide us with objective information about exactly which aspects of login and authentication are at risk, please let us know so can we update this article. In particular, if a user has correctly-authenticated network access, e.g. to a file server, and then locks his Mac, can an imposter unlock the computer with a non-existent password and pick up where the previous user left off? Or does this authentication problem affect local resources on Lion computers only? Also, which LDAP authentication back-ends are affected? Do you know of any reliable workarounds?
i'm glad I don't need it.
Glad I have Snow Leopard 😀 xD But seriously I know they use that policy because if they disclose too much information then it could help the hackers! But maybe they could not talk about the problem itself but about how we, the customers, can try to deal with it until they have a way to fix it permanently!
I upgraded to Lion, but my MacBook is not connected to the enterprise. Either way, I will be keeping a close watch on this one.
Everything about Sophos is so "Macish" I Hate it.
You hate it. So, …uh, the reason you continue to come here is…
It's not like this is the only place to get security news. And it's not like the majority of security news is about the Mac, either.
Sounds like your meds could use some tweaking.
I would be more worried about this if the rest of Lion wasn’t so buggy! At the moment I have that many concerns about it the whole thing holding together a security hole is last on my list.
Starting to look at Windows 7 with a little envy these days, at least I could file stuff where I actually want it on Windows!
Simon, what are your issues on Lion? I have been using it for over a month and for a non-LDAP user have found no noticeable errors or issues.
I'm also curious what sort of problems I should be looking out for Simon? Apple certainly needs to fix this issue ASAP, however I have not had any problems with Lion on my MBP, MBA or Lion Server on my Mac Mini Server.
I've been as impressed with Lion as I always am with new OSX releases.
Have been using Lion for 2 months. The greatest. You think Windows 7 is better? Oh guess again. Have 2 computers using win 7 can't wait to dump it for another Mac.
Anybody stupid enough to run OSX Server 10.7 in a live environment deserves these kind of problems. I've stuck with 10.6.8 Server controlling 10.7.1 clients
Good network/system admins: keep abreast of the issues, alert the necessary parties, engineer a workaround technical or political, keep the data safe.
Others: install gamma technologies in a sensitive production environment, blame someone, pull hair, blog it, wait for a fix.