What the heck is really going on in these Lion LDAP vulnerability reports?

security mac-osx ldap

Solution 1:

Don't be alarmed. This is not a huge threat to enterprise networks which is suggested by this article in The Register.

Apple Lion is new, and thus this bug is getting a disproportionate amount of attention when compared to similar flaws on other operating systems. Here are some calmer descriptions of this same problem:

  • "Mac OS X Lion fails to check passwords when authenticating via LDAP".
  • Paul Ducklin from nakedsecurity.sophos.com wrote a more reasoned piece about this problem, and the hype behind it.

This is a local exploit on an Apple Lion system which affects that system only. Apple has yet to provide any details. Here's how I understand the problem: if someone logs into a Apple Lion system once successfully, then anyone else can log into the same system with any password. This is a serious problem for that system, but the damage is mostly limited to that particular system. Unfortunately that system is now less-trusted and may be on on your network.

This problem does NOT allow an a hacker to own your AD/LDAP servers, by and of itself. Your AD/LDAP servers will still reject any incorrect LDAP authorization request from any LDAP client. To bypass this would require a major flaw on the LDAP server or the LDAP protocol or a misconfigured server, which is a completely different issue then the problem described above.

Keep in mind that this problem only affects Apple Lion systems which use LDAP for authentication. In most organizations, this will be a very small number of clients. An Apple Lion server might be more vulnerable, but Apple needs to elaborate on the problem and they have not been very forthcoming about this issue, yet. Can you imagine RedHat holding back information on a publicly known vulnerability for such a long time?

Solution 2:

The problem with the vulnerability is pretty well explained in the article linked by slashdot.

The true problem is that once someone gets onto any Lion machine on the network that is using LDAP as it's Authorization method then, you can read the contents of the LDAP directory. Which would give you access to all accounts on the network that use central authentication. Additionally it gives you access to anything secured by the LDAP Authorization system. Basically, you now own everything on that network.

As a side note, i'm curious if it is a bug in the LDAP authorization or the underlying (probably kerboros) authentication system.

Also, if you are not using LDAP as your authorization source (OpenLDAP, Active Directory, NDS, etc) then you are not effected by this.

To answer you specific question:

Can anyone explain exactaly what is being secured by OpenLDAP

The answer is "It depends ..." on what your IT infrastructure has setup to use LDAP for authorization.

Related

How do you configure QoS for Skype?
Most efficient (time, cost) way to scrape 5 million web pages?
We are transitioning from shared root password to using sudo. How do I audit usage of sudo?
Measuring Windows 7 user login times
Start services.msc attached to remote computer
JIRA installation on Amazon EC2
Can't set up NIC to establish Gigabit link on Linux
Chef: encrypted data bags, protecting the encryption key
nginx rewrite base url
Modifying kernel shared memory settings on a lion install
bind interface for upload : scp works, not rsync
How to Disable SSLv2 for Apache httpd