Help

iOS & OS 10.9 SSL Certificate Vulnerability CVE-2014-1266

ClassicII
Contributor III

Posted on ‎02-24-2014 07:23 AM

This all went down late friday so most of us missed it if you did not hear about it over the weekend.

iOS 7.0.6 was released
Still no patch for 10.9 yet. The last word was the beta version of 10.9.2 was still vulnerable. Apple says the patch will be out "Very Soon". 10.8 does not look to be affected.

Data Security

Impact: An attacker with a privileged network position or on the same local or wifi network may capture or modify data in sessions protected by SSL/TLS.

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

http://support.apple.com/kb/HT6147
http://www.reuters.com/article/2014/02/22/apple-encryption-idUSL2N0LR0GW20140222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266

Test your OS
https://www.imperialviolet.org
From the site owner -"I coded up a very quick test site at https://www.imperialviolet.org:1266. Note the port number (which is the CVE number), the normal site is running on port 443 and that is expected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug."

gotofail.com

0 Kudos
4 REPLIES 4

JPDyson
Valued Contributor

Posted on ‎02-24-2014 07:43 AM

Are you Adam from IV? May want to quote-block his words if not, just for clarity.

The manual bspatch offered by SektionEins seems to be effective, but I have reservations about deploying it. #understatement

http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-BUG.html

0 Kudos

ClassicII
Contributor III

Posted on ‎02-24-2014 07:48 AM

Updated that thanks.

Another interesting note it seems the people who are still holding on to iOS 6 on iphone 4 and 4s can not update to 6.1.6. They are forced to go to 7.0.6 as the 6.1.6 is only for devices that can not upgrade to ios7.

0 Kudos

Matt
Valued Contributor

Posted on ‎02-25-2014 06:55 AM

Just business as usual for a Mac admin ;) No patch Tuesday style implentation means we just have to work through these things. Luckily it doesn't seem like anything super critical like all those terrible Java holes we had previously.

0 Kudos

ClassicII
Contributor III

Posted on ‎02-25-2014 11:11 AM

posted this in the other thread but might as well bring this one to a close

10.9.2 Combo
http://support.apple.com/kb/DL1726

Security updates 2014-001 for

10.8
http://support.apple.com/kb/DL1729

10.7
http://support.apple.com/kb/DL1727

What is interesting here is the fact that this is the first time a security update has been released since before 10.9.

Also we were under the impression that 10.7 and 10.8 was not affected by this. Why the security patch then ?

0 Kudos