Apple Mitigates AirPort Router Hole

Monday, June 27, 2016 @ 09:06 AM gHale


Apple fixed its AirPort routers to address a remote code execution (RCE) vulnerability.

Apple said the problem is a memory corruption related to DNS data parsing that allows a remote attacker to execute arbitrary code.

RELATED STORIES
Apple Patches Vulnerabilities
Apple Revises Xcode to Patch Git Holes
Apple Ends QuickTime for Windows Support
Patching Tool Under Scrutiny

Apple patched the vulnerability, which has a case number of CVE-2015-7029, with the release of firmware versions 7.6.7 and 7.7.7 for AirPort Express, Extreme, and Time Capsule base stations with 802.11n, and AirPort Extreme and Time Capsule devices with 802.11ac. The firmware updates can end up installed using the AirPort Utility for OS X or iOS.

Two methods could exploit these types of vulnerabilities to over an AirPort router.

The first way is to feed malformed DNS requests to an AirPort set up to reply to queries from the Internet, said Paul Ducklin, senior security advisor at Sophos. The second method is to feed malformed replies to an AirPort that makes outbound DNS requests on behalf of the devices on its internal network.

“The latter is obviously a much more serious flaw, and we think it’s probably the sort of bug that Apple is talking about here,” Ducklin said in a blog post.

These types of vulnerabilities are not difficult to exploit. An attacker needs to register a domain, set up a malicious DNS server to answer queries about that domain, and send the targeted user a link to a webpage containing content apparently hosted on the attack domain.

“All that matters is that some device on the target network should decide to ask an unpatched AirPort router, ‘Where do I find example.org?’,” Ducklin said. “The router will then pass this question on to the global DNS network, which will answer by referring the router to your own, booby-trapped DNS server, assuming that’s registered as the official DNS server for your ‘attack domain’.”

For users, it always comes down to if they should patch or not. “Remote code execution bugs are always worth fixing, especially if they can be triggered by apparently innocent and unexceptional network activity that happens automatically, without users needing to click through any warning dialogs,” Ducklin said. “In other words, if you’re an Apple AirPort owner, get busy patching this one as soon as you can.”