Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes Dangerous SSL Authentication Flaw In iOS

Posted by timothy on from the are-you-telling-us-the-whole-story? dept.

wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a 'privileged network position could capture or modify data in sessions protected by SSL/TLS.' 'While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attack,' VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Adds reader Trailrunner7: "The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim's network would be able to read supposedly secure communications. It's not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."

24 of 101 comments (clear)

  1. And thus is it delivered to all supported devices by Rosyna · · Score: 4, Informative

    The update is available to all supported devices (From the iPhone 3GS running 6.1.x and up).

  2. How about OS X? by rvw · · Score: 4, Insightful

    I heard OSX has the same problem.

    @Apple: Admit that it exists (plus give advice how to prevent problems) or let us know that OSX is safe.

    1. Re:How about OS X? by berj · · Score: 5, Informative

      Yes. 10.9.1 has this problem (not sure about earlier versions). 10.9.2, which is in beta, patches the problem. Should be released soon.

  3. Re:And thus is it delivered to all supported devic by berj · · Score: 3, Informative

    They also released 6.1.6 which patches this bug.

  4. Details of bug by DrDevil · · Score: 5, Informative

    The bug is that the cn hostname from the certificate is not verified. So it's possible to use your own website SSL cert as a cert for any other site and Apple devices will accept it no question. Of course, to exploit, you'd need to modify a tool like webmitm to serve a fixed certificate.

    Very very dangerous, seems to be a result of switching away from OpenSSL although details are still flaky.

    1. Re:Details of bug by am+2k · · Score: 3, Insightful

      Apple never "switched away" from openssl, they shipped their own implementation with the very first version of Mac OS X. They only packaged openssl with the system for other apps to use. I actually rewrote the XMPP encryption stuff in Adium to use the security framework instead of openssl way back in 2007, since that allowed me to use the built-in system dialogs for presenting certificates.

    2. Re: Details of bug by Anonymous Coward · · Score: 2, Informative

      That's not the bug at all. It has nothing to do with hostname verification whatsoever. In fact, traditional RSA+AES CBC connections are not affected at all. Only ephemeral, or so-called "perfect forward secrecy" key exchanges are affected.

      However because cipher choice and handshake choice are left to the server (picking from a set that the client advertises) in the protocol, a malicious server can always pick the vulnerable key exchange and exploit it.

      The precise bug is subtle. The failure to verify the hashed signature of the ephemeral key exchange means that the server can present any valid public cert without ever knowing the private key for the cert.

  5. goto fail by tero · · Score: 5, Informative

    in
    http://opensource.apple.com/so...

      if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                    goto fail;
                    goto fail;

    1. Re:goto fail by Anonymous Coward · · Score: 2, Interesting

      ?! Any decent compiler would throw up a warning for unreachable code. I know that the whole "many eyes" thing is a miss and an audit of any open source code will usually pick up trivial problems, but that one doesn't even make any sense unless Apple coding practices are so poor that no sensible person would touch their products.

    2. Re:goto fail by tero · · Score: 4, Informative

      Yeah, you'd think a compiler should have caught that.. but neither GCC or Xcode seems to do that..

      Adam Langley has a great blog post dissecting this:
      https://www.imperialviolet.org...

    3. Re: goto fail by ugen · · Score: 2

      Curious. This would seem to result in a failure every time. Without reading the code further - how could auth ever succeed? Or did it ignore the failure return code and relied on hash update results anyway?

      Switching away from OpenSSL that is widely used and audited for generations of releases to homegrown crypto is a mistake on Apples part. This is most certainly not the last security flaw in their code we will see.

    4. Re: goto fail by tero · · Score: 2

      Yeah, the hash update succeeds, so err contains successful value when it jumps to the end. It never reaches the dead part where it updates.

    5. Re: goto fail by ugen · · Score: 3, Insightful

      Dumb. We are in for more than that. It took a decade to get OpenSSL clean with many more eyes on it.

    6. Re:goto fail by AmiMoJo · · Score: 2

      It's similar to some of the bugs that the NSA/GCHQ have inserted in the past. Knowing this we should really make compilers detect this kind of error.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:goto fail by BitZtream · · Score: 2

      The linked file uses both braces for single line ifs and without braces for single line IF's ... that is a really bad sign as a developer in my opinion. That means they aren't enforcing style guidelines and that makes code a fuckton harder to read. I can adapt to either style fairly easy, but when you mix it my mind gets wonky, my mind tends to find it ambiguous too!

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  6. Re: And thus is it delivered to all supported devi by AHuxley · · Score: 2

    The AC seems to be hoping we have all forgotten
    "Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
    http://www.theguardian.com/wor...

    --
    Domestic spying is now "Benign Information Gathering"
  7. Re:warning about unreachable code by eddy · · Score: 4, Informative
    Sorry, it's not there. It's silently ignored, which is the WORST POSSIBLE SOLUTION to the problem. Ugh.

    The -Wunreachable-code has been removed, because it was unstable: it relied on the optimizer, and so different versions of gcc would warn about different code. The compiler still accepts and ignores the command line option so that existing Makefiles are not broken. In some future release the option will be removed entirely.

    http://gcc.gnu.org/ml/gcc-help...

    --
    Belief is the currency of delusion.
  8. Re:Jailbreakers by MikeMo · · Score: 2

    Apple's strategy is to test, test, test and then test the best they can, release multiple beta versions to developers for testing, take a very long time to release new versions, and then patch the missed bugs that show up as fast as they can. Pretty much the way any professional software house does business.

    Or are you of the opinion that it's possible to release such a massive amount of code totally bug-free?

  9. Goto? by BlackPignouf · · Score: 2

    1) I haven't seen GOTO statements since my GWBASIC days, and I've surely never seen this many.
    2) I really like one-liners for if statements in Ruby: "do_this if x==1"
    3) Two-liners for C if statements without curly braces feel wrong, are dangerous and hard to read
    4) http://xkcd.com/292/
    5) GOTO 1

  10. Re:Update their iOS devices to iOS 7.0.6 by Rosyna · · Score: 2

    Or they could update to iOS 6.1.6 on their iPhone 3GS (previous versions of iOS did not have this bug)

  11. Re:Update their iOS devices to iOS 7.0.6 by immaterial · · Score: 2

    Really... Five hours after the *first post* already shot down this claim?

  12. Re:You can prevent problems by not trusting SSL by dkf · · Score: 2

    Really, why would you trust a system where someone you dont know or trust is in charge of the private keys for the encryption?

    Failing to secure your connections is just wilfully stupid. SSL is the best option we've got to avoid a whole range of attacks (it's far easier than the alternatives) but it does require correct implementations and careful selection of who to trust; SSL itself does not specify who to trust (and how can it? It's just a technical protocol for how to establish a secure channel over an insecure connection, typically implemented with TCP/IP).

    Explicitly listing who to trust is best, but it's extremely hard to scale up (since you have to pre-share the keys). A web-of-trust scales better, but once someone makes a mistake (easily done) it all crumbles. Using a certificate authority scales much better, and isn't quite as brittle as a WoT, but it does rely on the CAs (especially the root CAs; non-roots are easier to discipline) being very highly trustworthy. Commercial pressures are unlikely to make limiting the scope of domains that any CA can issue for practical (and in any case, certificates are not tied to domains in general; that's a feature of some particular types of certificates only).

    Every time someone suggests "oh we can't trust SSL" it is invariably because they don't know what it does and doesn't do, and because they think that there's only one kind of threat. That's incredibly wrong-headed and foolish.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  13. Re:Increase safety by avoiding proprietary softwar by 93+Escort+Wagon · · Score: 2

    Given this bug exists in published open source code, I'm not sure how your point is relevant to this particular issue.

    https://www.imperialviolet.org...

    Open source code is not a panacea. Have you not been paying attention to the number of RHEL kernel updates (to pick one example) released in 2014?

    --
    #DeleteChrome
  14. Re:And thus is it delivered to all supported devic by Anonymous+Brave+Guy · · Score: 3, Funny

    Unfortunately, Apple seem to have abandoned iOS 5 support already.

    iOS 6 isn't even 18 months old yet and was their Windows Vista, so a lot of people didn't upgrade. iOS 7 isn't even 6 months old, had security problems of its own at launch, and runs like a limping dog on some very popular devices still in widespread use, so a lot of people didn't upgrade to that either.

    The vulnerability here was caused by a rookie error that could easily have been found and fixed by following any one of several best practices in their software development process, and for something security-related they should have been following all of them.

    This is a very poor show from Apple on all counts. :-(

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.