Apple iOS and TV secure transmission function connection verification Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Apple TV <6.0.2
Apple iOS <7.0.6
Apple iOS <6.1.6
Apple OS X Server <10.9.2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65738
CVE (CAN) ID: CVE-2014-1266

IOS is an operating system developed by Apple for mobile devices. It supports iPhone, iPod touch, iPad, and Apple TV.

Libsecurity_ssl/lib/sslKeyExchange is available in versions earlier than Apple iOS 6.1.6, 7.0.6, earlier than Apple TV 6.0.2, and earlier than Apple OS X 10.9.2. c's SSLVerifySignedServerKeyExchange function does not check the signature in the key exchange information of the TLS server. This allows man-in-the-middle attackers to use arbitrary keys or skip the signature steps during the signing process to fool the SSL server.

<* Source: vendor
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Apple
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.apple.com/support/downloads/
Http://support.apple.com/kb/HT6148
Http://support.apple.com/kb/HT6147
Http://support.apple.com/kb/HT6146