Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Community Blog

Apple's SSL bug in iOS and OS X - CVE-2014-1266

Created: 25 Feb 2014 • Updated: 18 Mar 2014
SebastianZ's picture
+2 2 Votes
Login to vote

Apple released a security update of iOS 7.0.6 - details as follows:

---------

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID-> CVE-2014-1266:

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.

Source: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266

-----------

The released security update fixes a bug with SSL implementation on iOS that would allow man-in-the-middle attacks to intercept the SSL data. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Apple already issued a fix for iOS in version 7.0.6. and according to Apple similar fix for OS X should be expected shortly.

 

Current recommendations for iOS version 7.0.5. or older:

- update to version 7.0.6 immediately (perform the update over trusted connection)

 

Current recommendations for OS X version older than 10.9.2 include:

- use alternate browser - currently Firefox and Chrome have been deemed safe from this bug as they are using own SSL/TLS libraries

- avoid using public and unsecured networks (especially WiFi networks)

- as soon as Apple release the fix for OS X apply the patch on the affected versions of software to remediate

- AV or IPS protection are not feasible for this issue

 

References:

About the security content of iOS 7.0.6
http://support.apple.com/kb/HT6147

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/

Apple security update fixes iOS vulnerability
http://news.cnet.com/8301-13579_3-57619299-37/apple-security-update-fixes-ios-vulnerability/

Urgent iPhone and iPad security update, Mac OS X pending
http://www.welivesecurity.com/2014/02/22/urgent-iphone-and-ipad-security-update-mac-os-x-pending

Protect your Mac from SSL bug
http://reviews.cnet.com/8301-13727_7-57619382-263/protect-your-mac-from-ssl-bug/