Monday, 07 May 2012 08:50

Patch to OSX Lion Leaves Some Users' FileVault Passwords Exposed

Written by

Reading time is around minutes.

14621rotten_appleThe Apple Mythology continues to crumble as we hear (and have confirmed) that an update to Apple’s OSX Lion has exposed the passwords and questions to partitions protected with Apple’s FileVault. The issue rears its head when someone using FileVault updates to OSX 10.7.3. When this happens the update ends up writing the user’s credentials into the system’s plain-text debug file.

Now you might think that removing and recreating the partition will fix the issue. Unfortunately you would be wrong here as it appears the flaw will write the credentials for new partitions into the debug file as well. This bug is pretty serious yet we have not heard anything from Apple on a fix for it.

Typically an encrypted partition is used to prevent access to your data in the event of theft or loss. If someone tries to open your files they are unreadable without the passphrase to allow the system to decrypt the files. With this new bug someone can boot the Mac into firewire mode and then read the passwords from the debug file right off of the disk. You could also use the superuser shell that is in the recovery partition (a feature that just showed up in Lion).

The issue was spotted by security researcher David Emery, and as we mentioned has yet to be acknowledged or addressed by Apple. We will keep you informed on any patches that we hear about to resolve this problem. We are now left to wonder why the debug switch was left on for the final release of the update. This is an oversight that shoulld never have happened which raises serieous concerns over the QA being done inside Apple for their patches and upgrades. As Emery writes in his post about this;

"Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault").

The log in question is kept by default for several weeks...

Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for."

Emery did say that the full disk encryption in FileVault2 is not vunerable to this as even the debug file is encrypted at that point.

Discuss this in our Forum

Read 2228 times Last modified on Monday, 07 May 2012 09:13

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.