Apple Mac OS X ldap plaintext user password vulnerability

Vulnerability Description

Vulnerability ID: 32885 Discovered By: anonymous
Exploitable Locally: Yes Exploitable Remotely: No
Impact: Attackers can possibly gain sensitive information.
Root Cause: Software Vulnerability

Apple Mac OS X contains a vulnerability that can allow an attacker to gain sensitive information. The vulnerability is due to a user’s password being stored in plaintext when an ldap server has ldap_extended_operation disabled or the option is unsupported. An attacker can potentially access this information.

Recommendations

Apple Security Update 2005-005 (Client)
Apply Apple Security Update 2005-005.

Security Update 2005-005 (Client):

http://www.apple.com/support/downloads/securityupdate2005005client.html

Apple Security Update 2005-005 (Server)
Apply Apple Security Update 2005-005.

Security Update 2005-005 (Server):

http://www.apple.com/support/downloads/securityupdate2005005server.html

Affected Technologies

Apple: Mac OS X 10.3
Apple: Mac OS X 10.3.1
Apple: Mac OS X 10.3.2
Apple: Mac OS X 10.3.3
Apple: Mac OS X 10.3.4
Apple: Mac OS X 10.3.5
Apple: Mac OS X 10.3.6
Apple: Mac OS X 10.3.7
Apple: Mac OS X 10.3.8
Apple: Mac OS X 10.3.9
Apple: Mac OS X Server 10.3
Apple: Mac OS X Server 10.3.1
Apple: Mac OS X Server 10.3.2
Apple: Mac OS X Server 10.3.3
Apple: Mac OS X Server 10.3.4
Apple: Mac OS X Server 10.3.5
Apple: Mac OS X Server 10.3.6
Apple: Mac OS X Server 10.3.7
Apple: Mac OS X Server 10.3.8
Apple: Mac OS X Server 10.3.9

References

apple: Security Update 2005
Mitre CVE: CAN-2005-1338