Monday’s Security Upate provides a fix to a critical vulnerability that allows malicious parties to trivially obtain administrative passwords.
In other words, it would behoove you to run this update sooner rather than later, or make sure you use a VPN when admining your server.This vulnerability is worth exploring in more depth in order to underscore its importance. This is the text of the original email I sent when I reported it to Apple’s Product Security group three weeks ago.
servermgrd is a modified version of apache used by Apple in Mac OS X
Server as a management back end. It uses ssl for encryption. Out of box,
every install of Mac OS X Server uses the same private key.
[SNIP: it’s stored at /etc/servermgrd/ssl.key/server.key]
Using the ssldump (http://www.rtfm.com/ssldump/)* utility I’ve several
times in the last week sat on
wireless networks and obtained administrative passwords for several Mac OS
X Servers. I’ve long figured this was possible but did not look into it adequitely until it became necessary during the production of O’Reilly’s upcoming Running Mac OS X Server.
The decrypted packet looks like this:
12 10 0.4775 (0.0007) C>S application_data
POST /commands/servermgr_info HTTP/1.0
Authorization: Basic xxxxxxxxxxxxxx
…where xxxxxxxxxxxxxx is the base64 encoded version of the password
specified at login.
We must assume every packet on every network is likely to be sniffed. For
the price of $500 anyone anywhere can obtain the private key used to
administer tens of thousands of servers. At the very least this should be
widely documented, yet a search at apple.com/support for servermgrd and
Server Admin SSL yield nothing. This is very briefly hinted at on page 17
of the Command Line Administration Guide. This text, though, is misleading
at best in its failure to advertise the rather insecure out of box state
*note trivial diff to get it to build on Mac OS X
crap:~/Desktop/ssldump-0.9b3 mbartosh$ diff configure configure.orig