Home » Blogs » leif's blog

MacOSX and DHCP LDAP option...

Posted December 16th, 2003 by leif

So, for the second or third time, I read on Slashdot about people complaining about the "serious security" problems with MacOSX. I finally couldn't stop myself from posting to one of these discussions, not because I'm a Macintosh fan, but because I find it prepostoreous to even call this a bug.

As far as I'm concerned, Apple has implemented their solutions as per specifications. They probably could have made better documentation, GUI/tools and training around the well known security issues around DHCP in general, and the LDAP option in particular. And arguably, using DHCP with the LDAP option like they did might have been a poor design decision, but it was no less secure than their previous systems afaik (e.g. Netinfo).

I first posted this response to the latest /. article:

^I still don't understand why this security "hole" got so much attention... Are people struggling to find problems with MacOSX? First of all, attacks like this is nothing new, just remember the old YP/NIS problems with broadcasting for the server, to mention just one example.

Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:

ÿ0ÿ

This was written in 1997, note the last paragraph above. These issues have been discusses and documented in several RFCs, many years ago...
^

Someone posted a question asking if this was a MacOSX specific problem, to which I responded:

^Well, DHCP is inherently insecure, so this is definitely not a MacOSX specific "bug" (but I personally don't consider it a bug). This is all well documented in the DHCP RFCs and docs, e.g. from RFC 2131:

ÿ1ÿ

I think what makes MacOSX "unique" is that they use services traditionally not provided by DHCP (in this case, LDAP server information). Just like with NIS/YP, we have a tradeoff between ease of deployment (automatic service discovery) vs strong security. I know for a fact that way back, many YP/NIS deployments got hacked (in open networks, most commonly Universities) by simply pretending to be an NIS server. NIS+ addressed this problem (and others), and made it close to impossible to deploy and maintain. :-)

I don't know what Apple will do to "secure" this, the natural solution seems to be to have the DHCP client limit which servers it will talk to (establish a trust relation). It could be done with something as simple as a DHCP server host list, or more likely using Kerberos tickets to verify the authenticity of the DHCP response (I'm no Kerberos expert, so don't quote me on that one). More than likely, it'll make deployment a bit harder that what it is now.^

Nothing new about this at all....