Apple Fixes Dangerous SSL Authentication Flaw In iOS

wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a 'privileged network position could capture or modify data in sessions protected by SSL/TLS.' 'While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attack,' VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Adds reader Trailrunner7: "The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim's network would be able to read supposedly secure communications. It's not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."

And thus is it delivered to all supported devices

[Rosyna]

The update is available to all supported devices (From the iPhone 3GS running 6.1.x and up).

Re:And thus is it delivered to all supported devic

[berj]

They also released 6.1.6 which patches this bug.

Re:How about OS X?

[berj]

Yes. 10.9.1 has this problem (not sure about earlier versions). 10.9.2, which is in beta, patches the problem. Should be released soon.

Details of bug

[DrDevil]

The bug is that the cn hostname from the certificate is not verified. So it's possible to use your own website SSL cert as a cert for any other site and Apple devices will accept it no question. Of course, to exploit, you'd need to modify a tool like webmitm to serve a fixed certificate.

Very very dangerous, seems to be a result of switching away from OpenSSL although details are still flaky.

Re: Details of bug

That's not the bug at all. It has nothing to do with hostname verification whatsoever. In fact, traditional RSA+AES CBC connections are not affected at all. Only ephemeral, or so-called "perfect forward secrecy" key exchanges are affected.

However because cipher choice and handshake choice are left to the server (picking from a set that the client advertises) in the protocol, a malicious server can always pick the vulnerable key exchange and exploit it.

The precise bug is subtle. The failure to verify the hashed signature of the ephemeral key exchange means that the server can present any valid public cert without ever knowing the private key for the cert.

goto fail

[tero]

in
http://opensource.apple.com/so...

  if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                goto fail;
                goto fail;

Re:goto fail

[tero]

Yeah, you'd think a compiler should have caught that.. but neither GCC or Xcode seems to do that..

Adam Langley has a great blog post dissecting this:
https://www.imperialviolet.org...

Re:warning about unreachable code

[eddy]

Sorry, it's not there. It's silently ignored, which is the WORST POSSIBLE SOLUTION to the problem. Ugh.

The -Wunreachable-code has been removed, because it was unstable: it relied on the optimizer, and so different versions of gcc would warn about different code. The compiler still accepts and ignores the command line option so that existing Makefiles are not broken. In some future release the option will be removed entirely.

http://gcc.gnu.org/ml/gcc-help...