Mac Lion blindly accepts any LDAP password

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2011/08/26/mac_osx_lion_security_hole/

By Dan Goodin in San Francisco
The Register
26th August 2011

Apple's latest version of Mac OS X is creating serious security risks 
for businesses that use it to interact with a popular form of 
centralized networks.

People logging in to Macs running OS X 10.7, aka Lion, can access 
restricted resources using any password they want when the machines use 
a popular technology known as LDAP for authentication. Short for 
Lightweight Directory Access Protocol, LDAP servers frequently contain 
repositories of highly sensitive enterprise data, making them a goldmine 
to attackers trying to burrow their way in to sensitive networks.

“As pen testers, one of the first things we do is attack the LDAP 
server,” Rob Graham, CEO of auditing firm Errata Security, said. “Once 
we own an LDAP server we own everything. I can walk up to any laptop (in 
an organization) and log into it.”

The LDAP breakdowns in Lion aren't well understood because Apple still 
hasn't admitted there's any problem. But according to threads here and 
here, it affects Macs running Lion that use LDAP to authenticate users 
to different desktop machines. After the initial login, Lion users can 
log in with any password. Apple's latest operating system, which was 
released last month, blindly accepts whatever pass code it's given.

[...]

_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/