Security Tracker is warning of a new vulnerability in OS X (Jaguar and Panther) that could give malicious users root access to target systems.
The problem relates to the default configuration of DHCP-related (Dynamic Host Configuration Protocol) authentication services.
The report warns that because OS X is configured with DHCP enabled, it will attempt to connect to any LDAP or NetInfo servers specified by a DHCP response. It claims the OS will "explicitly trust" such servers, permitting a user defined in the LDAp or NetInfo server as having uid (user ID) 0 permissions to access the target system with an arbitrary user name.
If the target system is rebooted during this process, the remote directory server will reportedly be added to the authentication source list on that system and then trusted by that system. This means remote users can login as root.
A report available from the Carrel Group offers some advice on how to protect systems from such problems.
While security warnings appear frequent, they reflect another positive aspect to Apple's move from a wholly-proprietary operating system, such as OS 9 or any version of Windows, to an OS based on open standards. This means that security vulnerabilities can be more easily identified, publicized and repaired in OS X.
Apple has published a Tech Support page that offers some guidance on this problem, Mac OS X: "Directory Access Configuration In the Presence of a Malicious DHCP Response". This shows users how to configure the Directory Access feature to protect their Mac. from a malicious DHCP server.