Apple security blunder exposes Lion login passwords in clear text

[nsane.forums]

With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the user’s password in clear text.

An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

The flaw was first reported by a security researcher David Emery, who posted his findings to the Cryptome mailing list. The bug has not been corrected by any subsequent updates. Emery explains the severity of the issue:

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

Since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree. They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.

This leak of credentials could be catastrophic for businesses that have relied on the FileVault feature in Macs for years. FileVault is intended to protect sensitive information stored by providing an encrypted user home directory contained in an encrypted file system mounted on top of the user’s home directory. If an employee has their Mac stolen, however, anything they encrypted, as well as anything that requires those credentials, can be accessed without hindrance if the vulnerable configuration is in place.

This also affects Time Machine backups to external drives. If your hard drive is stolen, it doesn’t matter that the backups require a key to read. The backed-up log file contains the required password stored in clear text. This means your compromised password has been backed up for the long term.

In addition to theft or just plain physical access, it would be possible for cyber criminals to write very specific malware that knows where to look on a targeted system. While this would be difficult to implement, the lure for cyber criminals is obvious; anything encrypted, especially by an enterprise employee, has the potential to be very valuable.

Mac OS X version 10.7.3 was released on February 1, 2012. This means for users who updated immediately, weeks of accessing encrypted folders is now available for anyone to see. The good news is that it isn’t the full three months since the log file is only kept by default for several weeks. If you updated last week, then it’s only one week of password accesses that has been stored. Of course, sometimes that’s all it takes.

Some users have already noticed this feature in the wild but hadn’t yet stumbled across the reason. Users on the Novell Forums noticed and have been discussing the issue since last week.

On the Apple Support Communities, at least one user noticed the flaw exactly three months ago, and asked for an explanation. Here’s what he wrote:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.

This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well.

Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?

We are running Lion clients with a SL Server and using OpenDirectory.

Nobody got back to him.

This flaw further shows Apple has a quality assurance problem. When it comes to encryption, it’s important to choose a secure algorithm, but implementation is even more important. A simple bug in how the keys are secured, managed, or accessed can lead to a massive unraveling, as we’ve seen here.

Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.

I’d like to thank my colleague Ed Bott for editing and contributing to this report.

I have contacted Apple and will update you if I hear back.

View: Original Article

[visualbuffs]

Apple's latest Lion update stores passwords in cleartext

April was not a good month for Apple as Flashback infected over half a million OS X machinesfollowed by a new Mac-specific Java vulnerability called SabPub a little later. Kaspersky Labs even stirred up user emotions after commenting that Apple’s security is “10 years behind Microsoft.”

Unfortunately for Apple, the hits keep on coming in May as security researcher David Emery has uncovered a setting within Lion 10.7.3 that tells the operating system to store user passwords in cleartext. It appears that a developer turned on a debugging flag to store this data, but forgot to turn it off before submitting the code for the OS update.

According to the article, a machine is vulnerable if it was using FileVault encryption prior to Lion then later upgraded to Lion. The vulnerability does not extend to FileVault 2.

While many may say that the risks are low since only users in the administrator group can access the file, this isn’t entirely true. The article explains another risky proposition, especially for enterprises that rely on encrypting sensitive data on portable laptops.

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

Even more interestingly is that this issue was apparently discovered back in February, right after the 10.7.3 upgrade. A user by the name of tarwinator posted this issue on Apple's support forums but nobody from the company even made a comment on the post.

Apple desktops are gaining market share and, as predicted, this means there will be more people looking to exploit the system for personal gain. So much for Apple’s security being leaps and bounds better than Microsoft.

Image Courtesy of Apple's Support forum

[Nemesis]

good thing i have filevault (2) enabled then ;) on a side note: buying a mac was a mistake. never again.