Apple has released another new version of its iOS operating system for iPhones and other devices that fixes a security vulnerability in the way that the software handled SSL certificates and validated their authenticity. An attacker exploiting the bug might be able to intercept SSL traffic, Apple warned.
The new iPhone software comes just five days after Apple released iOS 4.3.4, which was mainly a fix for the PDF jailbreak bug that a security researcher had discovered and used to help users jailbreak their devices. The new iOS 4.3.5 contains just one security update, but it’s an important one that fixes a serious issue with the way that the devices validated digital certificates.
“A certificate chain validation issue existed in the handling of X.509
certificates. An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS. Other attacks
involving X.509 certificate validation may also be possible. This issue
is addressed through improved validation of X.509 certificate chains,” the Apple advisory says.
The details of the vulnerability are fairly opaque, but the description implies that an attacker who has already compromised a machine on a given network and has the ability to see and identify SSL sessions might be able to decrypt the traffic and modify it. This kind of man-in-the-middle attack is quite common and would require the attacker to already have a foothold on the network in order to execute it.
The exact attack scenario isn’t clear from Apple’s advisory, but researchers at Trustwave’s SpiderLabs, who discovered the bug, said in an advisory that the vulnerability allows an attacker to use an existing valid certificate to sign a new valid one for any domain. The flaw is the result of iOS failing to check the validity chain of certificates.
“iOS’s SSL certificate parsing contains a flaw where it fails to check the
basicConstraints parameter of certificates in the chain. By signing a new
certificate using a legitimate end entity certificate, an attacker can
obtain a “valid” certificate for any domain,” the SpiderLabs advisory says.
“Using this technique any SSL traffic using the api.someotherdomain.com
certificate can be intercepted and decrypted by the issuer. No notification
of the invalid nature of the certificate is presented to the iOS user.
This method allows for transparent man-in-the-middle attacks against
encrypted iOS communications.”
The 4.3.5 update applies to iPhone 3GS, the iPhone 4 on GSM networks, the iPad and the iPod Touch.