Re: [Fed-Talk] encryption exposes passwords
Re: [Fed-Talk] encryption exposes passwords
- Subject: Re: [Fed-Talk] encryption exposes passwords
- From: Dave Schroeder <email@hidden>
- Date: Tue, 08 May 2012 07:17:20 -0500
This is the same issue that impacts 10.7.3 systems that are directory bound or using network homes, and was an issue that appeared with Mac OS X 10.7.3. It is indeed a bug and has been reported via Apple's bug and security reporting channels.
There is also an ongoing thread <http://lists.psu.edu/cgi-bin/wa?A2=ind1204&L=macenterprise&T=0&F=&S=&P=471292> on the MacEnterprise mailing list also covering this issue.
In sum, this impacts 10.7.3 systems under the following circumstances:
— 10.7.3 systems using legacy FileVault (FileVault 1), or
— 10.7.3 systems in certain directory bound or network home configurations
These issues, while themselves unrelated, are exposing the same problem.
It does not impact other configurations, or Lion systems using FileVault 2, which is the default for Lion, and which users are automatically urged to upgrade to when upgrading to Lion from Snow Leopard.
If you are not directory bound/using network homes or not using legacy FileVault (FileVault 1) after having explicitly chosen not to update to FileVault 2, you are not impacted by this issue.
It is important to note that this is not a FileVault issue, but it renders FileVault 1 effectively useless on Lion systems, because the decryption passkey for FileVault 1 is by default the user's password, which can be culled from the log file via Target Disk Mode. FileVault 1 only encrypts the user's home directory. FileVault 2 encrypts the entire drive, and also does not expose this issue.
The scope of this problem is narrow, because most Lion users are not using FileVault, and those that are are not using FileVault 1. The only users with FileVault 1 are users who would have been previously using FileVault 1 on Snow Leopard, upgraded that system to Lion, and explicitly declined to transition to FileVault 2.
This is sloppy QA on Apple's part, but from a real impact perspective, which I presume would be of interest to IT administrators, it's a now-known bug introduced in 10.7.3 that impacts a small cross section of Lion systems in the specific configurations outlined above.
There are a variety of mitigation methods on systems currently impacted by this. For FileVault 1 users, the solution is to upgrade to FileVault 2, which is an easy process and recommended by Apple anyway, and then change your password (no one would have access to your password in any event unless they had physical access to the machine and a firmware password was not enabled). Mitigation methods for the directory bound/network home scenario are discussed in the MacEnterprise thread: <http://lists.psu.edu/cgi-bin/wa?A2=ind1204&L=macenterprise&T=0&F=&S=&P=471292>
Once this bug is fixed in 10.7.4 or a separate security update the permanent mitigation will be to change your password after the patch is applied (which isn't necessarily required in all circumstances, but is the safest alternative because of cases where that log file may have e.g. been backed up somewhere else).
- Dave
On May 6, 2012, at 2:12 PM, Todd Heberlein wrote:
> Oops.
>
> Apple security blunder exposes Lion login passwords in clear text
> http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963
>
>> With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the user’s password in clear text.
>
>> Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden