Mac OS X FileVault Plaintext Password Logging

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host logs passwords in plaintext.

Description :

Plaintext passwords were discovered in a system log file. Mac OS X
Lion release 10.7.3 enabled a debug logging feature that causes
plaintext passwords to be logged to /var/log/secure.log on systems
that use certain FileVault configurations. A local attacker in the
admin group or an attacker with physical access to the host could
exploit this to get user passwords, which could be used to gain access
to encrypted partitions.

See also :

https://discussions.apple.com/thread/3715366
https://discussions.apple.com/thread/3872437
http://cryptome.org/2012/05/apple-filevault-hole.htm
http://support.apple.com/kb/HT5281
http://support.apple.com/kb/TS4272

Solution :

Upgrade to Mac OS X 10.7.4 or later and securely remove log files
that contain plaintext passwords (refer to article TS4272).

Risk factor :

Low / CVSS Base Score : 1.9
(CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.8
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: MacOS X Local Security Checks

Nessus Plugin ID: 59090 ()

Bugtraq ID: 53402

CVE ID: CVE-2012-0652