

Mac OS X Lion accepts any password when authenticating via LDAP - d0ne
http://forums.macrumors.com/showthread.php?t=1197379

======
parfe
News.YC community is being much kinder towards Apple than it acted towards
Dropbox for identical security bugs. Dropbox even had the issue resolved in
hours.

I don't see anyone threatening to switch away from Apple or demanding an
immediate personal response from Steve Jobs or ranting how this lapse is
unforgivable.

And you can't say it's because this bug only affects a small portion of Lion
users as the Dropbox bug also only affected 100 accounts.

~~~
dpcan
This is how bullying works.

If the victim is small and accessible, with their reputation on the line, you
can put them in their place.

When DropBox broke, the community pounced.

Apple can't be bullied.

With DropBox I can just cancel my membership and sign-up somewhere else.

I'm not going to throw out my $1000+ Mac with $1000+ in software on it out the
Window, right along with my livelihood of creating software for iOS. I'm not
going to cancel my iPhone contract and pay hundreds in penalties too, and
throw out all my apps and games and switch to Android. Not happening.

They've got us by the balls here, we just have to let them fix this and move
on.

~~~
true_religion
It's not bullying to tell people to fix security bugs.

It's not bullying to use your own resources to entice (or force) them to do so
in a timely manner.

You're right that no one can threaten Apple and get action, but you're wrong
in characterizing the threat as bullying.

------
blinkingled
Tells you something about Apple's testing methodology. QA team at Apple must
be playing real fast and loose.

Being affected by 3 serious regressions in Lion (all filed as bugs and Apple
closed them as duplicates, btw) - I get the feeling that Apple could do better
at software engineering. (Alarms on iOS if you are still not convinced :) Just
the fact that they release software that allows authentication without correct
password means that they lack any kind of automated test case verification
even for basic functionality - and this _is_ basic functionality we are
talking about, not some obscure thing that happens only when dozen different
factors are combined or a thing that only happens once in billion tries.

Say what you will about Microsoft but in my several years of using Windows I
rarely had these type of glaring issues even with the awful amount of hardware
it supports. It might just be that Microsoft was forced to adopt better
Engineering practices due to their situation - lot of complexity, huge impact
potential, and lot of money at stake - 50% server market and the Server OS
shares a whole lot with consumer version etc.

Not trying to troll - just my thoughts on something that I have always
wondered - how Engineering culture varies between different successful
software companies and to what effect.

~~~
Lewisham
_Tells you something about Apple's testing methodology. QA team at Apple must
be playing real fast and loose._

Yep, I agree. I've been very disappointed with Lion, even taking into account
the common "Don't buy an x.0 Apple product", there were some terrible bugs (I
was personally bitten by the inability to look up DNS servers after waking
from sleep, which I can't believe was missed in testing).

Apple's software quality has been markedly going down. iTunes is a UI mess,
and I used to really like it. Safari continues to lag behind the competition
(no omnibar/awesome bar? Really?), iWork has stagnated. I suspect the reason
is that Apple is growing, and the Eye of Jobs is focused entirely on iOS
products, so the quality is being diluted in other areas.

I strongly feel like Apple's leadership is looking f, orward to the day when
they can kill off the Mac completely. The line of "we'll always need something
for developers to develop on" doesn't make a lot of sense. With Apple on x86,
I can see a future where Xcode lives on Ubuntu/Windows.

~~~
anon1385
_Apple's software quality has been markedly going down_

People have said the same thing about nearly every OS X release (with the
possible exception of 10.1). At least Lion doesn't erase your firewire hard
drives [1], or delete your entire home folder [2] etc etc. The comparative
severity of these really bad bugs can be debated, but I think in terms of
general quality OS X 10.0 − 10.2 really were quite a lot worse than the more
recent releases.

I don't disagree with your general point though, the Mac is obviously not
their priority anymore, and hasn't been for a while.

[1] <http://www.wired.com/gadgets/mac/news/2003/10/61031>

[2] [http://macs.about.com/b/2009/10/13/snow-leopard-may-
delete-u...](http://macs.about.com/b/2009/10/13/snow-leopard-may-delete-user-
accounts-are-you-at-risk.htm)

~~~
sneak
Possible, but having gone from 8.6->Linux->10.4 myself, I think it's worth
noting that 10.6, their previous release, was without question one of the most
solid, stable, usable desktop OSes ever released by anyone. 10.7's instability
and rough edges seem extraordinarily out of place by comparison.

~~~
epochwolf
Did you look at the linked articles? The second one is titled: "Snow Leopard
May Delete User Accounts: Are You At Risk?"

------
fredoliveira
This looks both real and a pretty serious issue (I wonder how it went by
almost a month without getting picked up by the security community). There's
an discussion about it on Apple's own forums, linked below, but the gist of it
is that users can authenticate over LDAP using any password using the login
screen, and can't authenticate at all using su:

<https://discussions.apple.com/message/15887083>

~~~
tptacek
Not many people in the security community use Mac servers in such a way that
they need LDAP, and of those people, very few are running Lion on their
servers.

~~~
MostAwesomeDude
It wasn't your bug to find, it was _Apple's_ , and they should have found it
far sooner.

~~~
tptacek
Who are you talking to? Me? Did you read the comment thread? I'm not sure who
you're arguing with, or why you picked me for this reply.

~~~
MostAwesomeDude
Yeah, you're right, I misposted. Sorry.

------
city41
Can someone give a quick lowdown on what's really happening here? I am
assuming the Lion client is connecting to an LDAP server using the provided
password, and regardless of the response from LDAP, Lion proceeds with the
login?

~~~
a2tech
No-if you try to submit a blank password it is (rightly) rejected. If you
submit a non-blank password, the login succeeds. This (to me) points to the
LDAP server responding with a login success message and the OS allowing the
user in. This bug appears to only effect Lion clients talking to OpenLDAP (not
the LDAP server shipped with Lion Server) or Active Directory.

~~~
ataraxia
I played with a Lion client bound to OpenLDAP running on a Linux server. I
could login with my username and _any_ password (empty or not). I used a
packet sniffer and it appeared to me, that the Lion client is not even sending
the password to the server, but simply logging the user in. At least in my
case, the server didn't send any login success message, and the Lion still let
the user in. It clearly seems to be an issue on the side of the Mac OS X
client, not the server.

------
a2tech
This is only an issue when binding to an OpenLDAP server. There may be
additional issues with LDAP on Lion server, but this problem as reported is an
issue with Lion clients bound to servers running OpenLDAP without Kerberos or
SSL.

~~~
matsur
Your use of the word "only" here is misplaced. This is a very serious security
issue that affects clients connecting to OpenLDAP.

~~~
a2tech
Indeed-for users that are bound to OpenLDAP its a massive issue. Without
knowing those users exact setup its hard to know exactly what the issue is-the
fact that its ONLY OpenLDAP servers is odd. The client must be receiving some
sort of authentication succeeded message (you will note that it won't accept a
blank password-so in that case OpenLDAP is responding with a failure). It may
be a bug in Lion that triggers a bug in OpenLDAP.

------
SoftwareMaven
First, this is a terrible bug. Shame on Apple for not rushing a fix, but...

Enterprises should not be doing immediate upgrades to any operating system, no
matter how sparkly. I'm still waiting to upgrade my MacBook, and it's just me.
No OS release goes off without a hitch (though there are some pretty
impressive Linux releases!).

~~~
tomelders
In all fairness, someone has to be an early adopter, otherwise issues like
this would go unnoticed.

I've no idea how complex a problem it is to fix, but it is worrying that it
seems to be taking a while for Apple to fix it.

~~~
weaksauce
I think you are missing the point that the gp is making; any enterprise that
this would affect should not be provisioning it to the servers/clients until
they test it on a smaller scale. This issue would be found during the normal
testing channels of enterprise adoption.

------
edtechdev
There have long been issues with LDAP in Mac OS X. They don't use a standard
version. It doesn't work with PHP's LDAP module. And there have long been
security issues, too: PHP was often out of date with security vulnerabilities.
So much so that our campus ended up blocking all Mac web servers.

Here are several other issues I wrote up a couple of years ago, the last time
I was forced to use Mac OS X server:
[http://edtechdev.wordpress.com/2009/01/31/dont-use-mac-
os-x-...](http://edtechdev.wordpress.com/2009/01/31/dont-use-mac-os-x-as-a-
server/)

~~~
delinka
If you're hosting PHP on a Mac, I'd hope you're using a package manager so
that you're not depedent on Apple to update third party software. Perhaps they
_should_ be providing timely updates to third party items that they include,
but _depending_ on those updates is foolhardy.

------
smithian
Can anyone confirm or deny that this is only an issue when authenticating to
an OpenLDAP server (i.e. does it also affect authentication against Active
Directory?) I will check it when I get to the office and update here. This
could potentially be very serious.

~~~
awakeasleep
Active directory works as you'd expect.

~~~
authorityaction
We just got some Lion iMacs and have not been able to keep them connected to
the AD. It doesn't work as expect unfortunately.

~~~
amazingman
Are you talking about the "Network accounts unavailable" red light? If you
wait ~20secs, it generally resolves itself. Definitely a bug, but just an
annoying one.

~~~
authorityaction
Yep, that's the one. We've tried waiting and even increased the timeout from 2
seconds to something higher and it's still not working.

------
elb0w
Says this is a solution: <https://discussions.apple.com/message/15700245>

------
Hovertruck
What alarms me is that on both of my computers with Lion, about half of the
time just clicking on a name on the login screen works without entering the
password. Happens on my friend's Lion install as well.

~~~
wgx
I have authentication on after every screensaver and I've _never_ been able to
bypass the password. Weird.

~~~
tptacek
Likewise. We're an all-Mac shop, we do semiregular audits of everyone's
machines, and I've never seen this happen.

------
amazingman
I've seen this story in 4 or 5 places today and I _still_ can't seem to find
the details of the issue. Anyone have any links or info?

------
alrs
Snow Leopard is the Windows 2000 of the NeXTSTEP operating systems, the best
example of the series before the inevitable decline.

------
wuster
Oh yikes. This deserves an update... yesterday. How can it be discovered and
discussed only a month later?

~~~
r00fus
Only happens if OpenLDAP is not secured by Kerberos or SSL... I don't see this
as very common in the first place (ie, cleartext over the wire for auth?!).

------
codex
OpenLDAP is... kind of a piece of junk. I'm not surprised there are issues
here. But again, who binds in cleartext?

------
napierzaza
Why are they not using Kerberos and SSL though? Does this affect those users
who actually do take security seriously or just the bare bones implementations
that aren't safe anyways?

~~~
marshray
I don't know about Macs specifically (Apple makes servers?) or why they aren't
using Kerb, but LDAP is commonly used over SSL/TLS. "LDAPS" some call it.

LDAP wasn't originally designed to be an authentication protocol. If Mac
clients are using it to make authentication decisions, they had better be
requiring SSL/TLS on that connection (and validating the server cert
perfectly, too).

~~~
marshray
Apparently, the forum poster says he's not using SSL/TLS with LDAP for the
login authentication.

Sounds to me like impersonating an LDAP server would grant login to Macs
configured thusly.

------
brudgers
<snark>Well, it is intended to be a _lightweight_ protocol after all.</snark>

~~~
abcd_f
Not sure why you are in gray. That's a really good joke.

