A security researcher has released a new workaround for the critical vulnerability in the Apple iOS operating system related to the way that the OS handle SSL certificate validation. The workaround makes some key checks in the certificate chain that the vulnerable versions of iOS and a previous workaround fail to execute.
The iPhone SSL bug came to light in July and it involves the failure of the operating system to validate the certificate chain, and specifically could allow an attacker to get a legitimate certificate for a valid domain. With that, he could then execute a man-in-the-middle attack against iPhone users who visit the site and capture their traffic.
Apple patched the iOS vulnerability on Aug. 1 with the release of iOS 4.3.5 and experts have been encouraging users to update as soon as possible because of the seriousness of the vulnerability. Trustwave’s SpiderLabs, which discovered the flaw, released a workaround for the problem as well, but researchers at Duo Security found that it didn’t entirely address the issue. So the Duo researchers developed their own workaround.
“At a high level, our workaround functions by first using iOS’s
built-in frameworks to validate a certificate chain for an SSL
connection, and then – if iOS determines that the chain is valid –
double-checking its result using OpenSSL. In this case, both
implementations are slightly incomplete: iOS, as we now know, fails to
check basicConstraints; meanwhile, our relatively simplistic
OpenSSL verification routine does not bother to – for example – check
that the leaf certificate’s hostname matches the URL request. Running
these two checks in sequence, though, we should have everything covered,” Duo’s Adam Goodman wrote.
Duo also released a test app for the iPhone that enables users to enter a URL and send a request to the site to connect. If the site does not a valid certificate chain, then the request will fail and the app will return an error message. The app uses OpenSSL to validate the results of the workaround’s checks.
The workaround is available at Github.