BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

OS X Lion Fails to Verify Authentication Before Changing User Password

Disclosed September 18, 2011    Fully Patched

Vulnerability Description:

OS X Lion does not request  user authentication at the time that a local user attempts to change their password. Therefore, any user account that is currently logged in can have their password changed by someone, with local access, who does not know the account's password.

Vendors:

Apple

Vulnerable Software/Devices:

Apple OS X Lion

Vulnerability Severity:

Medium

Exploit Availability:

N/A

BeyondTrust Prevention and Detection:

 

Mitigation:

Limit regular users' access to the dscl utility:

sudo chmod 100 /usr/bin/dscl

Links:

CVE(s):

None

Leave a Reply