You are here

T-676: Apple iOS Certificate Chain Validation Flaw Lets Certain Remote Users Access or Modify SSL/TLS Sessions

July 26, 2011 - 1:06am

Addthis

PROBLEM:

A vulnerability was reported in Apple iOS. A remote user with the ability to conduct a man-in-the-middle attack can access or modify SSL/TLS sessions.

PLATFORM:

iOS 4.2.5 through 4.2.9 for iPhone 4 (CDMA)
iOS 3.0 through 4.3.4 for iPhone 3GS and iPhone 4 (GSM)
iOS 3.1 through 4.3.4 for iPod touch (3rd generation) and later
iOS 3.2 through 4.3.4 for iPad

ABSTRACT:

Apple iOS Certificate Chain Validation Flaw Lets Certain Remote Users Access or Modify SSL/TLS Sessions.

reference LINKS:

SecurityTracker Alert ID: 1025837
Apple Article: HT4824
Apple Article: HT4825
Apple Product Security
CVE-2011-0228

IMPACT ASSESSMENT:

Medium

Discussion:

A remote user in a privileged network position can exploit a certificate chain validation flaw to access or modify data ostensibly protected by SSL/TLS.

A certificate chain validation issue existed in the handling of X.509 certificates.
An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.
Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains.

Impact:

A remote user can access and modify data within an SSL/TLS session.

Solution:

The vendor has issued a fix (4.2.10 for iPhone 4 (CDMA), 4.3.5 for iPhone 3GS and iPhone 4 (GSM), iPod touch (3rd generation) and later, and iPad).
Apple Support

Addthis