Mac OS X Lion Update Exposes Clear-Text Passwords
Apple's latest security update to OS X Lion, 10.7.3, was shipped with the debugging switch left on, leaving passwords open in plain text in a folder that had previously been encrypted with the first version of the company's FileVault encryption.
David I. Emery, owner of DIE Consulting, disclosed the flaw on the Cryptome encryption mailing list on Saturday, May 5.
Apple released the buggy update in February.
Emery reports that the debug switch (DEBUGLOG) seems to have been left on inadvertently. The security hole causes log-in passwords for the encrypted home directory tree (legacy FileVault) to be left readable, in a systemwide log file, by any user with root or administrative access.
That log is kept, by default, for several weeks, Emery wrote. That means that anybody who can read files available to group administration can discover the log-in for any user of pre-Lion FileVault home directories who has logged in since the February upgrade.
What makes this one so bad is that the log, and thus encrypted partitions, can be read by intruders who don't have a log-in password. It's done by booting the machine into FireWire disk mode, which allows the log and partitions to be read by opening the drive as a disk or by booting the recovery partition that was introduced in Lion. An intruder then uses the available super-user shell to mount the main file system partition, Emery says.
It gets worse.
Emery theorized that Apple's Time Capsule backup tool may have backups encrypted with the password available in plain text.
"For those who use Apple's easy backup tools ('Time Capsule'), it was possible to assume that those tools only wrote copies of the sparsebundle encrypted container for a FileVault legacy home directory to the backup media, meaning that an unencrypted backup would still provide protection for the contained encrypted home directories," Emery wrote. "But with the password required to decrypt the sparebundles stored in the clear on the (unencrypted) backup, that assumption is no longer true."
Emery said that users can partially protect themselves from attack by using FileVault 2, which offers whole-disk encryption. Such encryption requires that users know at least one user log-in password before they are given access to files on the disk's main partition.
Further, weaker protection can be had by setting a firmware password, which would be required before a user can boot the recovery partition or external media or enter FireWire disk mode, he says. However, there's a technique to turn this off, known to Apple field support.
Chester Wisniewski, a senior security advisor for Sophos, wrote that this security snafu proves an important point about encryption: Secure algorithms are important, but that's "rarely the most important factor."
"How products store, manage and secure keys and passwords is the most common failure point in assuring data protection," Wisniewski wrote in Sophos' Naked Security blog. "This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES [Advanced Encryption Standard] encryption doesn't mean anything if it chooses to store your password in an accessible log file."
Of course, the possibility that the plain-text password has been backed up means that it's going to be tough to ensure that both it and the original plain-text password are securely erased, he said, even after the fix comes out.
Thus, Wisniewski advises Mac users to consider changing passwords, and then to refrain from using those passwords on any other systems, even after applying the patch.