Flaw in OS X Lion Encryption Leaves User Credentials in Plaintext

There’s a serious weakness in certain versions of Apple OS X that causes the operating system to store users’ login credentials for the FileVault encrypted storage in plaintext. The bug, which is found in older versions of FileVault present on OS X Lion 10.7.3 systems, enables anyone with admin access to the machine to get the login password for the FileVault system. The flaw also can be exploited when a machine is in FireWire disk mode and accessible to another computer.

There’s a serious weakness in certain versions of Apple OS X that causes the operating system to store users’ login credentials for the FileVault encrypted storage in plaintext. The bug, which is found in older versions of FileVault present on OS X Lion 10.7.3 systems, enables anyone with admin access to the machine to get the login password for the FileVault system. The flaw also can be exploited when a machine is in FireWire disk mode and accessible to another computer.

A consultant publicized the OS X vulnerability on Friday, and explained that it seems only to apply to Macs that were upgraded to OS X Lion from Snow Leopard but continued to employ the older version of FileVault. The vulnerability apparently was introduced in February.

“That seems to have happened to Apple’s older (‘legacy’) Filevault in the current release of Mac OSX Lion (10.7.3)…. something intended to protect sensitive information stored on laptops by providing for encrypted user home directories contained in an encrypted file system mounted on top of the user’s home directory,” David Emery, a consultant at DIE Consulting, wrote in an email to a cryptography mailing list.

“Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process’s HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree (‘legacy Filevault’). The log in question is kept by default for several week.”

Emery said that users can partially protect themselves against the problem by upgrading to FileVault 2, which encrypts the entire disk drive and requires that a user know one password to access the encrypted partition. 

“One wonders why such a debug switch exists in shipped production code… clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident. Nobody breaks encryption by climbing the high walls in front … when the garden gate is open for millions of machines,” Emery wrote. 

Suggested articles