SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Apple macOS/OS X Vendors:   Apple
Mac OS X May Transmit LDAP Passwords Without Encryption in Certain Cases
SecurityTracker Alert ID:  1006922
SecurityTracker URL:  http://securitytracker.com/id/1006922
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 5 2003
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  
Version(s): 10.2
Description:   A vulnerability was reported in Apple's Mac OS X Server. When using a Kerberos login with an LDAPv3 server, user account passwords may be transmitted in clear text.

Apple reported that the 'Login Window' function is vulnerable when the 'AuthenticationAuthority' attribute is not set. The function will attempt to authenticate using an encrypted password, but will then attempt a 'simple bind' that transmits the password in clear text. A remote user that is monitoring the network between the OS X server and the LDAP server can obtain the password during transmission.

Impact:   A remote user monitoring the network may be able to view user passwords as they are transmitted over the network.
Solution:   Apple has issued a knowledge base article (107579) describing how to prevent this by mapping the AuthenticationAuthority attribute to an existing non-null attribute in your LDAP server. See the document for complete instructions:

http://docs.info.apple.com/article.html?artnum=107579

Vendor URL:  docs.info.apple.com/article.html?artnum=107579 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Subject:  Mac OS X Server: How to Avoid Sending Clear Passwords in a Kerberos


http://docs.info.apple.com/article.html?artnum=107579

Apple reported that user account passwords may inadvertently be transmitted in clear text 
format by OS X when using a Kerberos login and when integrated with an LDAPv3 server.

According to the report, the 'Login Window' function is vulnerable when the 
'AuthenticationAuthority' attribute is not set.  The function will attempt to authenticate 
using an encrypted password, but will then attempt a 'simple bind' that transmits the 
password in clear text.

Apple has issued a knowledge base article (107579) describing how to prevent this by 
mapping the AuthenticationAuthority attribute to an existing non-null attribute in your 
LDAP server.  See the document for complete instructions.





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC