Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3

[MacRumors]

ZDNet reports on the discovery of a significant breach of password security for certain users of Apple's FileVault encryption system under OS X Lion. Affected systems currently store the login information for every recent user of the machine in plain text, allowing for easy circumvention of encryption.

In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

The issue was noted last Friday by David Emery on the Cryptome mailing list.

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

Emery also offers some suggestions for dealing with the issue, including turning on FileVault 2 and setting a firmware password on the machine in question.

The issue was actually first noted in the Apple discussion forums back on February 6, just days after OS X 10.7.3 was released to the public. That poster now notes that the issue may extend further than just the specific FileVault situation outlines by others, as he notes that he has experienced the same behavior on an OS X Lion virtual machine through VMware Fusion, without FileVault ever having been active on the installation. Consequently, the extent of the issue may not yet be fully known.

Apple has yet to offer any response to the issue, although it is unclear when the company became aware of it. Apple touts the security features of OS X Lion in its promotional materials for the operating system, with a focus on FileVault as an important component of that security, and it seems likely that the company will move as quickly as possible to investigate and fix the issue.

Article Link: Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3

 

[daveschroeder]

This also affects Lion in certain configurations where the system is bound to an external directory, which is what the initial poster on Apple's discussion forums was posting about. He was simply trying to replicate the issue in a VM, which he did.

There is an ongoing thread on the MacEnterprise mailing list also covering this issue. It's an issue which appeared with 10.7.3, and is the same log file referenced with this FileVault 1 issue, and was also assumed to be simply a bug or oversight on Apple's part.

In sum, this impacts 10.7.3 systems under the following circumstances:

— 10.7.3 systems using legacy FileVault (FileVault 1)
— 10.7.3 systems in certain directory-bound or network-home configurations

These issues, while themselves unrelated, are exposing the same problem.

It does not impact other configurations, or Lion systems using FileVault 2, which is the default for Lion, and which users are automatically urged to upgrade to when upgrading to Lion from Snow Leopard.

If you are not directory bound/using network homes or not using legacy FileVault (FileVault 1) after having explicitly chosen not to update to FileVault 2, you are not impacted by this issue.

It is important to note that this is not a FileVault issue, but it renders FileVault 1 effectively useless on Lion systems, because the decryption passkey for FileVault 1 is by default the user's password, which can be culled from the log file via Target Disk Mode. FileVault 1 only encrypts the user's home directory. FileVault 2 encrypts the entire drive, and also does not expose this issue.

The scope of this problem is narrow, because most Lion users are not using FileVault, and those that are are not using FileVault 1. The only users with FileVault 1 are users who would have been previously using FileVault 1 on Snow Leopard, upgraded that system to Lion, and explicitly declined to transition to FileVault 2.

This is sloppy QA on Apple's part, but from a real impact perspective, which I presume would be actually relevant here, it's a now-known bug introduced in 10.7.3 that impacts a small cross section of Lion systems in the specific configurations outlined above.

There are a variety of mitigation methods on systems currently impacted by this. For FileVault 1 users, the solution is to upgrade to FileVault 2, which is an easy process and recommended by Apple anyway, and then change your password (no one would have access to your password in any event unless they had physical access to the machine and a firmware password was not enabled). Mitigation methods for the directory bound/network home scenario are discussed in the MacEnterprise thread.

Once this bug is fixed in 10.7.4 or a separate security update the permanent mitigation will be to change your password after the patch is applied (which isn't necessarily required in all circumstances, but is the safest alternative because of cases where that log file may have e.g. been backed up somewhere else).

 

[charlituna]

What exactly is the specific configuration in question

 

[Small White Car]

I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?

I just feel like I'm seeing more stories like this these days than I did in past years.

 

[Zwhaler]

Saw this posted on 9to5mac... I guess I'm lucky I haven't upgraded to Lion at all yet. Haven't seen a response from Apple as of yet.

 

[MacN3wb]

https://discussions.apple.com/thread/3715366

"Re: Network user: plain text PWs in client log?!
07.05.2012 01:34 (in response to tarwinator)
I'm not sure if I can support the assumption that this is an error in filevault.

I've just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.

Can someone with the following environment please verify:
- OpenDirectory users with Network Home on AFP
- Lion (10.7.3) Clients
- Snow Leopard or Lion Server

Steps:
- Setup a new machine, or use one that never had filevault enabled
- Login as a (unprivileged!) network user with a Network Home on an AFP share
- logout, login as an admin user
- Check "Console" for log messages containing the string "_premountHomedir"

Please help to get to the bottom of this!"

 

[bertman]

What exactly is the specific configuration in question

"Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected." ...according to the original post. Let's see how the whole VM issue plays out...

 

[slrandall]

What's the difference between FileVault and FileVault 2? I use 2, but are there any reasons someone would be unable to upgrade from the original to the new version?

If not, this seems like a non-issue.

 

[loveturtle]

What's the difference between FileVault and FileVault 2? I use 2, but are there any reasons someone would be unable to upgrade from the original to the new version?

If not, this seems like a non-issue.

This is not a non-issue. Don't be an apologist. There are legitimate reasons to use FileVault v1 over v2. v1 encrypts your home directory while v2 encrypts the whole filesystem. If you have untrusted users on the same computer (say shared with a family) v2 will give other users full access to your files while v1 will encrypt on a per home directory basis and another user will be unable to see your files.

Even if there were no legitimate reason to use v1 over v2 that is still no excuse. This is a serious oversight with serious consequences. Now these kind of things happen and the fact that it happened is not an insult to Apple. However, there is no excuse for it going unpatched for this long. There should have been a patch immediately after it was discovered. There is no excuse for that.

 

[tigres]

Apple will provide a fix for all of us @ the 10.8.3 juncture.

 

[3282868]

This is one reason why I wish Apple would start hiring more engineers instead of shuffling them back and forth between iOS and OS X departments as they have since before the first iPhone launch in 2006 (Leopard was delayed twice to an October '06 release as engineers from OS X were shifted to iOS).

It's been stated Jobs hated hiring more, and kept a tight knit group of engineers. Perhaps more would help alleviate/diminish the odds of such programming flaws. Who knows. Either way, I'm sure it wouldn't hurt.

I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?

I just feel like I'm seeing more stories like this these days than I did in past years.

Agree. From what I gather, engineers are strained, being spread across iOS OS X departments. In part to unify the group but also in keeping with Jobs' desire for a small engineering base. It seems to be negatively effecting some aspects to their OS's.

 

[OS X Dude]

First the Java exploit (not strictly Apple's fault, as the actual security flaw was Java's... but they didn't patch it quickly enough). Now this, around three weeks on. Not been a great month for Apple, security-wise!

Ironically, upgrading to Lion saved you from the Java exploit, but it also put you in danger of this

 

[thejadedmonkey]

From Neowin...


UPDATE: After the story broke, the thread on Apple's site started to receive some traction. The most interesting post is from the original poster who notes that the bug may not have anything to do with FileVault or the upgrade process of Lion afterall.

I've just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.

Emphasis mine.

 

[ed724]

This is not a non-issue. Don't be an apologist. There are legitimate reasons to use FileVault v1 over v2. v1 encrypts your home directory while v2 encrypts the whole filesystem. If you have untrusted users on the same computer (say shared with a family) v2 will give other users full access to your files while v1 will encrypt on a per home directory basis and another user will be unable to see your files.

Even if there were no legitimate reason to use v1 over v2 that is still no excuse. This is a serious oversight with serious consequences. Now these kind of things happen and the fact that it happened is not an insult to Apple. However, there is no excuse for it going unpatched for this long. There should have been a patch immediately after it was discovered. There is no excuse for that.

On point 1 above, if you use V2 you still cannot access another users files without root access. The system owner should set a root pw. If you set a root pw then others cannot get simple access to other users folders even if they're set as admin level. Although this has nothing to do with the security issues just revealed.

 

[mcnaugha]

Yeah it's a total non-issue. If someone wants further privacy beyond FileVault 2 then make an encrypted disk image. It's just the same as FileVault 1. No one in their right mind should still be using FileVault 1.

 

[daveschroeder]

Please read my post above.

This impacts 10.7.3 systems under the following circumstances:

- 10.7.3 systems using legacy FileVault (FileVault 1), or
- 10.7.3 systems in certain directory bound or network home configurations

It was the latter issue that was discovered first.

----------

Saw this posted on 9to5mac... I guess I'm lucky I haven't upgraded to Lion at all yet. Haven't seen a response from Apple as of yet.

Why are you "lucky"?

Are you running FileVault? If you are, are you planning on staying with FileVault 1, which is not recommended, instead of transitioning to FileVault 2?

Are you bound to a network-based directory server or use network home directories? If not, you are not impacted by this issue.

...and even if you were, someone would have to know this and have access to your system and specifically be going after your password in order for you to be impacted by this. A big deal? Yes, but something that only impacts a narrow cross section of all Lion users.

 

[Westside guy]

I don't believe they're saying the issue is in FileVault itself, because that wouldn't really make sense. But the issue has been spotted in 10.7.3 systems using that particular configuration - e.g. using the older-style per-home-directory encryption rather than full-disk encryption.

That doesn't mean there aren't other ways to trigger this problem, such as per the VMware note. Possibly VMware is using the same system hooks to save their password info?

Some people also seem to be forgetting that not all Macs are single-user systems...

 

[loveturtle]

On point 1 above, if you use V2 you still cannot access another users files without root access. The system owner should set a root pw. If you set a root pw then others cannot get simple access to other users folders even if they're set as admin level. Although this has nothing to do with the security issues just revealed.

That's not true. Any admin user can spawn a root shell without the root password.

turtle@vier ~ $ whoami
turtle
turtle@vier ~ $ sudo su
vier turtle # whoami
root
vier turtle #

No password required other than the admin user password. That's not the point anyway, system passwords should not be logged in clear text period. Again, the fact that this happened isn't as big of a problem as the fact that it hasn't been patched yet.

 

[Detrius]

turtle@vier ~ $ whoami
turtle
turtle@vier ~ $ sudo -i
vier turtle # whoami
root
vier turtle #

ftfy

 

[lilo777]

So, apparently Kaspersky was wrong when he said that Apple was 10 years behind Microsoft in terms of security. It's more than that.

 

[HelveticaRoman]

If Apple were an airline, there's still a better than 80% chance you'd get to your destination safely.

 

[kps]

Fortunately this issue only applies to that legacy ‘personal computer’ stuff — nothing that's actually important to Apple.

 

[neiltc13]

Apple just keeps giving reasons not to buy another Mac.

- Sloppy, buggy software.
- Dumbed down software with features removed to appease novice users and frustrate those who use computers for serious tasks (eg the latest Final Cut).
- Dated hardware.
- No support for Blu Ray or USB 3.
- Childish colourful applications preferred over interfaces that help the user perform tasks.
- Features copied from touch screen devices with no consideration to whether they fit in on a computer.
- Aforementioned features being enabled without my consent (eg the reverse scrolling when I installed Lion).
- Huge security flaws left unfixed for weeks or months at a time.

There used to be reasons to pay a premium for Macs, but clearly there aren't any more.

 

[iShater]

Guess I am glad I haven't moved to Lion yet.

 

[3282868]

Apple just keeps giving reasons not to buy another Mac.

- Sloppy, buggy software.
- Dumbed down software with features removed to appease novice users and frustrate those who use computers for serious tasks (eg the latest Final Cut).
- Dated hardware.
- No support for Blu Ray or USB 3.
- Childish colourful applications preferred over interfaces that help the user perform tasks.
- Features copied from touch screen devices with no consideration to whether they fit in on a computer.
- Aforementioned features being enabled without my consent (eg the reverse scrolling when I installed Lion).
- Huge security flaws left unfixed for weeks or months at a time.

There used to be reasons to pay a premium for Macs, but clearly there aren't any more.

Sadly, I agree