nSense Vulnerability Research Security Advisory NSENSE-2011-006 --------------------------------------------------------------- t2'11 infosec conference special release http://www.t2.fi --------------------------------------------------------------- Affected Vendor: Apple Inc. Affected Product: CalDAV (iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad) Platform: iOS Impact: Sensitive information interception Vendor response: New version released CVE: CVE-2011-3253 Credit: Leszek / nSense Release date: 12 Oct 2011 Technical details --------------------------------------------------------------- The calendar synchronization feature of iOS fails to validate the SSL certificate provided by the server. Therefore, CalDAV communication can be intercepted by a basic man in the middle attack. As every request contains a HTTP basic authentication header, which contains base64-encoded credentials, it is possible to intercept email account credentials by an attacker that is suitably positioned (e.g. the same LAN, WLAN) or is able to tamper with DNS records pointing to the CalDAV server. The application accepts the untrusted certificate without any warning or prompt, so the attack will go unnoticed by the user. Timeline: 20110407 nSense informed the vendor about the vulnerability 20110409 Vendor started to investigate the issue 20110415 nSense sent a status update request to the vendor 20110415 Vendor provided a status update 20110420 nSense asked the vendor for further information 20110502 nSense resent the previous questions 20110502 Vendor confirmed the vulnerability 20110525 nSense asked the vendor about the patch schedule 20110527 Vendor responded 20110527 nSense asked the vendor for further information 20110531 Vendor responded, unable to provide a date 20110601 nSense asked the vendor for clarification 20110603 Vendor responded 20110603 nSense resent the previous question 20110607 nSense commented the issue, asked the vendor for clarification 20110705 nSense asked the vendor for clarification 20110726 nSense asked the vendor whether 4.3.5 fixed the issue 20110727 Vendor responded. Issue not fixed. 20110728 nSense asked the vendor for further details 20110917 Vendor asked for credit information 20110917 nSense responded 20111002 Vendor confirmed release date 20111012 Vendor releases fixed version of the software 20111012 Vendor releases public advisory Solution: Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ More information from Apple Inc.: http://support.apple.com/kb/HT1222 Links: http://www.nsense.fi http://www.nsense.dk $$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s. $$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$ $$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$ $$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P D r i v e n b y t h e c h a l l e n g e _ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/