Most people don't give much thought to what happens when you connect to your bank's website or log in to your email account. For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present "identification" showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information.
Due to the sensitive nature of this process, software vulnerabilities that adversely impact the security of certificate validation could have major consequences. Unfortunately, digital systems are complex and bugs are an inevitable reality in software development. Identifying vulnerabilities and responsibly disclosing them improves the security of the internet by eliminating potential attack vectors. Talos is committed to improving the overall security of the internet and today we are disclosing TALOS-2017-0296 (CVE-2017-2485), a remote code execution vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS. This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.
Vulnerability Details
TALOS-2017-0296 (CVE-2017-2485) was identified by Aleksandar Nikolic of Talos.
A use-after-free vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS has been identified which could lead to arbitrary code execution. This vulnerability manifests due to improper handling of X.509v3 certificate extensions fields. A specially crafted X.509 certificate could trigger this vulnerability and potentially result in remote code execution on the affected system.
On Apple macOS and iOS, most client applications (e.g. Safari, Mail.app, Google Chrome) use the built in system certificate validation agent to validate a X.509 certificate. An application that passes a malicious certificate to the certificate validation agent could trigger this vulnerability. Possible scenarios where this could be exploited include users connecting to a website which serves a malicious certificate to the client, Mail.app connecting to a mail server that provides a malicious certificate, or opening a malicious certificate file to import into the keychain.
For the full details, please read our vulnerability report.
Talos has confirmed macOS Sierra 10.12.3 and iOS 10.2.1 are vulnerable. Older versions of macOS and iOS are likely affected. However, Talos has not verified that they are.
Coverage
Talos has developed the following Snort rules to detect attempts to exploit this vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your FireSIGHT Management Center or Snort.org.
Snort Rule: 41999
Protecting Customers
Bugs are an inevitable part of software development. With the complexity of digital systems only due to increase, identifying bugs that are security issues will remain a major challenge that Talos will continue to undertake. By researching ways to identify vulnerabilities and responsibly disclosing them, we can improve the security of our customer's networks and the entire internet.
For other vulnerabilities Talos has disclosed, please visit to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/
To review our Vulnerability Disclosure Policy, please refer to our policy here:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html