Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: llee
llee Author
User level: Level 1
113 points

Password compromised whether or not FileVault was used?

This article states that Lion 10.7.3 users are possibly affected by a compromise of their passwords whether or not Filevault has been used, doesn't it?

Posted on May 10, 2012 7:23 PM

Reply
3 replies
User profile for user: Llessur999
Llessur999
User level: Level 4
1,214 points

May 10, 2012 7:42 PM in response to llee

Per the first sentence, this impacts users who either use Legacy FileVault or have home folders mounted via NFS, AFP, or SMB. If you don't fall in either category, no issue.


Per the second sentence, the logs these plain-text passwords are stored in may have been copied to backups (not Time Machine) or to syslog servers.


Link to TS4272 to save readers the trouble of finding it.

http://support.apple.com/kb/TS4272

Reply
User profile for user: llee
llee Author
User level: Level 1
113 points

May 10, 2012 8:11 PM in response to Llessur999

I didn't use FileVault, but my home folder was mounted by myself through AFP using other Macs on my network. Should I interpret the article to mean that the password may be stored in plain text on the Mac that hosted the home folder through AFP, or that the password may be stored in plain text in log files of any of the Macs that were used to access the home folder through AFP, or that the password might appear in clear text in the log files of any of those computers, whether hosting or accessing the home folder through AFP?

Reply
User profile for user: Graham Perrin
Graham Perrin
User level: Level 2
261 points

May 11, 2012 2:45 AM in response to llee

Recommended reading:


About the security content of OS X Lion v10.7.4 and Security Update 2012-002


* the first item describes the Login Window issue, with reference to CVE-2012-0652.


From Apple's document — and from seeing the symptom of the bug on (just one) computer where FileVault 1 was used — my understanding is that:


* simply making an AFP connection from a 10.7.3 client, to a server, does not cause the password to be saved in pain text


* the issue may affect a 10.7.3 client that uses a server for both (a) login window authentication and (b) automatic mounting of the client's home directory.


Hint: at a 10.7.3 client, in the Users & Groups pane of System Preferences, click Login Options. If any network account server is listed, then you may find that the password of a network account user is saved in plain text at that client computer.

Reply

Password compromised whether or not FileVault was used?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up