FileVault security hole discovered in OS X Lion 10.7.3
Apple's legacy FileVault Mac encryption system in OS X 10.7.3 has a security flaw that could allow malicious users to access stored passwords.
The flaw was detailed late last week in a post by David I. Emery on the Crytome mailing list (via Suddeutsche.de). The issue only applies in specific configurations to users who have updated to OS X 10.7.3, in which a system-wide debug file that displays login passwords in plain text is created.
"Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012," Emery explained.
The log-in data can also be viewed by booting a Mac into FireWire disk mode and reading it by opening the drive as a disk. The information can also be accessed by booting the Lion recovery partition and using the available superuser shell to mount the main file system partition.
Users can protect themselves from these methods by using the whole disk encryption capabilities of FileVault 2. Emery explained that this requires that a user know at least one login password before they can access the main partition of the disk.
Further protection can be achieved by setting a firmware password that must be supplied before a user can boot the recover partition or external media, or enter firewire disk mode.
"Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model ? not uncommon in families ? where different users of a particular machine are isolated from each other and cannot access each others' files or login as each other with some degree of assurance of security," Emery wrote.
The bug was introduced with Apple's OS X 10.7.3 update, which was issued in early February. The latest version of Lion came with Wi-Fi connectivity fixes and Windows file sharing compatibility.
The flaw was detailed late last week in a post by David I. Emery on the Crytome mailing list (via Suddeutsche.de). The issue only applies in specific configurations to users who have updated to OS X 10.7.3, in which a system-wide debug file that displays login passwords in plain text is created.
"Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012," Emery explained.
The log-in data can also be viewed by booting a Mac into FireWire disk mode and reading it by opening the drive as a disk. The information can also be accessed by booting the Lion recovery partition and using the available superuser shell to mount the main file system partition.
Users can protect themselves from these methods by using the whole disk encryption capabilities of FileVault 2. Emery explained that this requires that a user know at least one login password before they can access the main partition of the disk.
Further protection can be achieved by setting a firmware password that must be supplied before a user can boot the recover partition or external media, or enter firewire disk mode.
"Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model ? not uncommon in families ? where different users of a particular machine are isolated from each other and cannot access each others' files or login as each other with some degree of assurance of security," Emery wrote.
The bug was introduced with Apple's OS X 10.7.3 update, which was issued in early February. The latest version of Lion came with Wi-Fi connectivity fixes and Windows file sharing compatibility.
Comments
Actually, the security flaw is known since Februray 6th, so over 3 month!
https://discussions.apple.com/thread/3715366
This is legacy software. You can't even turn it on anymore. It requires an upgrade from a previous OS that had it enabled. It was rarely used prior to it being replaced by FileVault 2 due to its many technical limitations. Any serious enterprise user used one of the third party alternatives prior to FileVault 2 being released. This basically doesn't affect anyone.
This has been known about for three months and has been a non-issue that whole time.
you 'd think they 'd spend a bit more time addressing it, if they can't be more attentive for it not to be there to begin with... Such sloppy work these days for os x...
The fact that it's not a common scenario doesn't minimize its severity or eliminate the need for this to be addressed. There are people in work environments who share computers. There is malware that doesn't even need physical access. If this was another OS I'm sure there would be a lot more uproar on this site.
No one said it didn't need to be fixed.
But uproar if it were a different OS? Nonsense. Windows has plenty of security flaws that don't require physical access. This one does require physical access to the computer - at least close enough to connect a Firewire cable. And if you give someone physical access to your computer, all security bets are off.
This seems very serious for any pre-Lion FileVault user. Someone has FileVault on Snow Leopard or earlier? Upgrade it to Lion 10.7.3 and the contents are yours. It would seem that the security of pre-Lion FileVault is permanently compromised. Or does it require that the user log in one time after the upgrade, in which case security is maintained as long as the user avoids that situation?
Quote:
Originally Posted by Magic_Al
This seems very serious for any pre-Lion FileVault user. Someone has FileVault on Snow Leopard or earlier? Upgrade it to Lion 10.7.3 and the contents are yours. It would seem that the security of pre-Lion FileVault is permanently compromised. Or does it require that the user log in one time after the upgrade, in which case security is maintained as long as the user avoids that situation?
I guess this is one way to encourage people to migrate from pre-Lion versions of OSX.
Quote:
Originally Posted by myapplelove
Such sloppy work these days for os x...
OSX has relegated to "B Team" engineers.
The hot shit programmers get to work on iOS.
You do realize that this affects almost all schools, universities and any organization that uses remote home directories... Not just filevault!
A process called "HomeDirMounter" is used by "authorizationhost" on OS X to mount remote home directories stored on a networked server, commonly in enterprise environments like offices or schools. This process accesses the remote directory and mounts it to a local computer as if it existed locally on the main boot volume. This same process mounts encrypted FileVault home directories created with earlier versions of OS X, which are stored in a separate, encrypted virtual volume (or sparse bundle).
In OS X 10.7.3, HomeDirMounter logs information that appears to have been used for debugging during development of the 10.7.3 update. Among the information it stores in
var/logs/secure.logis the password used to mount a home directory, in clear text, anytime a remote or FileVault home directory is mounted.http://arstechnica.com/apple/news/2012/05/debug-code-in-os-x-1073-exposes-passwords-for-legacy-filevault-network-users.ars
Any one who mounts a home directory gets their password logged... So yes not a lot of people use Filevault, but a TON are mounting home directories...
just FYI...
One day Apple will use a decent encryption algorithm. What they currently offer is not just good enough. We're being weaned off internal data storage to cloud (storms) and I don't predict any silver in the lining of Apples' feeble offering. They really need to grasp this by the horns and develop their OS and hardware to become the industry benchmark for end-user security.
Delayed software updates, chewing-gum an' 'lastic bands just aint a solution in the 21st Century.