Tuesday, August 24, 2010

Apple fixes CVE-2010-1800 in Security Update 2010-005


Apple just fixed an issue I reported to them.

To quote Apple's Security Update 2010-005 advisory text:
CVE-ID: CVE-2010-1800
Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
Description: CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections. This issue does not affect systems prior to Mac OS X v10.6.3. Credit  to Aaron Sigel of vtty.com, Jean-Luc Giraud of Citrix, Tomas Bjurman of Sirius IT, and Wan-Teh Chang of Google, Inc. for reporting this issue.
In other words, this means you can be any site, with a lock, as long as you can do some DNS trickery.  Try for yourself:
1.  openssl s_server -debug -accept 8080 -nocert -cipher 'ALL:NULL'
2.   https://127.0.0.1:8080/

You'd normally want an error to show up there.... looks like this didn't go totally unnoticed, though!

Props to cstone!