New Workaround Released For iOS SSL Flaw

Author: Dennis Fisher
minute read

A security researcher has released a new workaround for the critical vulnerability in the Apple iOS operating system related to the way that the OS handle SSL certificate validation. The workaround makes some key checks in the certificate chain that the vulnerable versions of iOS and a previous workaround fail to execute.

iOS workaroundA security researcher has released a new workaround for the critical vulnerability in the Apple iOS operating system related to the way that the OS handle SSL certificate validation. The workaround makes some key checks in the certificate chain that the vulnerable versions of iOS and a previous workaround fail to execute.

The iPhone SSL bug came to light in July and it involves the failure of the operating system to validate the certificate chain, and specifically could allow an attacker to get a legitimate certificate for a valid domain. With that, he could then execute a man-in-the-middle attack against iPhone users who visit the site and capture their traffic.

Apple patched the iOS vulnerability on Aug. 1 with the release of iOS 4.3.5 and experts have been encouraging users to update as soon as possible because of the seriousness of the vulnerability. Trustwave’s SpiderLabs, which discovered the flaw, released a workaround for the problem as well, but researchers at Duo Security found that it didn’t entirely address the issue. So the Duo researchers developed their own workaround.

“At a high level, our workaround functions by first using iOS’s
built-in frameworks to validate a certificate chain for an SSL
connection, and then – if iOS determines that the chain is valid –
double-checking its result using OpenSSL. In this case, both
implementations are slightly incomplete: iOS, as we now know, fails to
check basicConstraints; meanwhile, our relatively simplistic
OpenSSL verification routine does not bother to – for example – check
that the leaf certificate’s hostname matches the URL request. Running
these two checks in sequence, though, we should have everything covered,” Duo’s Adam Goodman wrote.

Duo also released a test app for the iPhone that enables users to enter a URL and send a request to the site to connect. If the site does not a valid certificate chain, then the request will fail and the app will return an error message. The app uses OpenSSL to validate the results of the workaround’s checks.

The workaround is available at Github.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.