An alert on the vulnerability was posted to the Security Focus BUGTRAQ Alert Service.
In Mac OS X 10.2, Apple updated Apple Filing Protocol (AFP) to permit secure connections over SSH (Secure Shell) protocol. However, Chris Adams, a system administrator in San Diego, Calif., noted that while users could request secure connections, the system will not issue any alert or indication if an SSH connection is unavailable and then defaults to a non-secure connection. He noted that the only indication was a negative one—users must be aware that an alert "Opening Secure Connection" did not appear.
According to Adams, this could result in users sending unencrypted passwords over an insecure connection.
"Login credentials may be sent in cleartext or protected with one of several different hashed exchanges or Kerberos. There does not appear to have been any serious third-party security review of Apples client or server implementations," Adams wrote in his report on the vulnerability.
Speaking with eWEEK.com, Adams said that any such activity would only come as the result of an active attack. "OS X does warn you before using unencrypted passwords and AFP does prevent passive password collection by encrypting the log-in process to protect the password on its way to the server. This problem allows you to trick it into sending the unencrypted password to you instead of the intended server," he said.
Adams pointed out that this sort of problem was not unique to Mac OS X.
"As with Microsofts Windows file sharing, AFP was designed for trusted LANs and some of the basic assumptions change when these systems are placed on the public Internet. Users on a secured LAN face relatively little risk; the most exposed are those using AFP over the Internet without a VPN," he said.
Users of AFP on a secure network, Adams said, should have little to worry about.
Adams said, systems open to remote connections, such as in educational institutions, would be vulnerable to "man in the middle" attacks, where a third server could intercept and harvest passwords surreptitiously.
Compounding the problem, Adams added, was that SSH connectivity for AFP would not work at all in the initial releases of Mac OS X 10.3 and 10.3.1.
Adams observed that the problem arises from the fact that AFP treats SSH as an option rather than a user requirement.
Though his BUGTRAQ warning provided workarounds, such as manually configuring a SSH tunnel or using SFTP instead, Adams suggested that SSH should be enabled by default for both client and server and the user interface modified to clearly warn when the system is unable to establish an SSH tunnel.
SSH incorporates a number of extensively analyzed security precautions. Adams said that this is merely a matter of including those in the AFP user interface.
Though Adams said he first reported this bug to Apple in early December 2003 and followed up weeks later, he received no response from the computer manufacturer.
However, he told eWEEK.com that a final notice that he was going to release the information publicly resulted in a response on Friday.
"It was what I was hoping for originally," he said, a notice that Apple was looking into the issue and was offering to coordinate efforts.
An Apple representative declined to expand on Adams statement.