Categories: Security

Apple restores certificate validation checks mysteriously missed

Apple released a security update to iOS that restores some certificate-validation checks that had apparently been missing for an unspecified amount of time.

Last week

Apple released a security update to iOS (iOS 7.06) to fix a flaw for certificate-validation checks that could be abused by

attackers to conduct a man-in-the-middle attack within the victim’s network  to capture or modify data even if protected by SSL/TLS.

In reality the checks were present in past versions, but they were not included in

the recent version of the operating system for an unspecified amount of time.

” 

iOS 7.0.6 Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. CVE-ID CVE-2014-1266

is repored by Apple as further specification for the update released.  

Apple confirmed that last update resolves a problem with the way that iOS imlements certificate validation for a secure connection, it also added that the fix was possible restoring missing validation steps. The above statement is disconcerting, because in an historical moment when the user’s privacy always under discussion, the company accidentally forgot to include a key control that was present in the past.

At the moment there is no information regarding the exact release that missed the precious controls, but there are no doubts about the severity of the flaw that could allow attackers to intercept communications that are meant to be encrypted in iPhone, iPad and Mac computer.

To give an idea of the impact to also to non-experts we must remark that an attacker accesses to the same network of the victim could intercept protected communication between the user and sites such as Gmail that implements SSL/TLS.

Who would benefit from such a vulnerability?
Of course any intelligence agency that need to hack user’s communication, even is they are protected with SSL/TLS.
Resuming, which is the attack scenario?
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).” explained John Costello, Security Researcher at CrowdStrike said in a blog post.
Researcher Adam Langley conducted an interesting analysis of the flaw Apple OS X confirming it affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all.

“This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying ‘here’s the ephemeral key and here’s a signature, from my certificate, so you know that it’s from me’,” “Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It’s possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There’s no proof that the server possesses the private key matching the public key in its certificate.” Langley wrote in his analysis.

Langley has published a test site that allow Apple users to verify is their product are vulnerable.

“I coded up a very quick test site at https://www.imperialviolet.org:1266. Note the port number (which is the CVE number), the normal site is running on port 443 and that is expected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug.”

To Check if your browser is vulnerable to SSL flaw you can also visit another website Clicking here.

Apple also released iOS 6.1.6 an Apple TV update to fix the same vulnerability, I strongly suggest you to update your Apple products to the last versions!

Pierluigi Paganini

(Security Affairs –  mobile, iOS 7.06)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Empire Market owners charged with operating $430M dark web marketplace

Federal authorities charged two individuals with operating the dark web marketplace Empire Market that facilitated…

1 hour ago

China-linked Velvet Ant uses F5 BIG-IP malware in cyber espionage campaign

Chinese cyberespionage group Velvet Ant was spotted using custom malware to target F5 BIG-IP appliances…

3 hours ago

LA County’s Department of Public Health (DPH) data breach impacted over 200,000 individuals

The County of Los Angeles’ Department of Public Health (DPH) disclosed a data breach that…

10 hours ago

Spanish police arrested an alleged member of the Scattered Spider group

A joint law enforcement operation led to the arrest of a key member of the…

12 hours ago

Online job offers, the reshipping and money mule scams

Offers that promise easy earnings can also bring with them a host of scams that…

15 hours ago

Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

This website uses cookies.