Categories: Security

Apple restores certificate validation checks mysteriously missed

Apple released a security update to iOS that restores some certificate-validation checks that had apparently been missing for an unspecified amount of time.

Last week

Apple released a security update to iOS (iOS 7.06) to fix a flaw for certificate-validation checks that could be abused by

attackers to conduct a man-in-the-middle attack within the victim’s network  to capture or modify data even if protected by SSL/TLS.

In reality the checks were present in past versions, but they were not included in

the recent version of the operating system for an unspecified amount of time.

” 

iOS 7.0.6 Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. CVE-ID CVE-2014-1266

is repored by Apple as further specification for the update released.  

Apple confirmed that last update resolves a problem with the way that iOS imlements certificate validation for a secure connection, it also added that the fix was possible restoring missing validation steps. The above statement is disconcerting, because in an historical moment when the user’s privacy always under discussion, the company accidentally forgot to include a key control that was present in the past.

At the moment there is no information regarding the exact release that missed the precious controls, but there are no doubts about the severity of the flaw that could allow attackers to intercept communications that are meant to be encrypted in iPhone, iPad and Mac computer.

To give an idea of the impact to also to non-experts we must remark that an attacker accesses to the same network of the victim could intercept protected communication between the user and sites such as Gmail that implements SSL/TLS.

Who would benefit from such a vulnerability?
Of course any intelligence agency that need to hack user’s communication, even is they are protected with SSL/TLS.
Resuming, which is the attack scenario?
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).” explained John Costello, Security Researcher at CrowdStrike said in a blog post.
Researcher Adam Langley conducted an interesting analysis of the flaw Apple OS X confirming it affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all.

“This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying ‘here’s the ephemeral key and here’s a signature, from my certificate, so you know that it’s from me’,” “Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It’s possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There’s no proof that the server possesses the private key matching the public key in its certificate.” Langley wrote in his analysis.

Langley has published a test site that allow Apple users to verify is their product are vulnerable.

“I coded up a very quick test site at https://www.imperialviolet.org:1266. Note the port number (which is the CVE number), the normal site is running on port 443 and that is expected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug.”

To Check if your browser is vulnerable to SSL flaw you can also visit another website Clicking here.

Apple also released iOS 6.1.6 an Apple TV update to fix the same vulnerability, I strongly suggest you to update your Apple products to the last versions!

Pierluigi Paganini

(Security Affairs –  mobile, iOS 7.06)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.