OS X Lion accepts any LDAP password, creates enterprise network nightmare
There's nothing more frightening to a network administrator than to have a potential security hole that can open a network to attacks from outside. Unfortunately, the latest incarnation of Mac OS X -- Lion -- reportedly has a major security issue related to Lightweight Directory Access Protocol (LDAP).
LDAP servers often contain sensitive enterprise data, so a successful attack on one of the servers is a bonanza to hackers. For some reason, Macs running Lion that use LDAP to authenticate users to shared resources work just fine for the initial login. After that point, Lion users can use any password and still log in.
Macs running older versions of OS X, Windows PCs, and Linux machines authenticate properly on the same LDAP servers, but the Lion machines exhibit the bad behavior. There are no security problems with Macs running Lion and logging into networks that use protocols other than LDAP.
This issue may create concern in the minds of network administrators who are being pressured to add more Macs to their networks. A researcher at iSec Partners, Alex Stamos, recently noted that large corporate customers should think twice before deploying large numbers of Macs in enterprises. Speaking at the Black Hat security conference earlier this month, Stamos mentioned that iSec Partners had figured out an easy way to steal hundreds of passwords from enterprise servers by connecting a Mac to the network.
Network admins who think that Macs may be an open gate to their data are not going to be amenable to connecting the devices to their enterprise networks.
