Today, Apple released security advisory APPLE-SA-2014-10-20-1 for iOS 8.1 that includes CVE-2014-4449.
This relates to a TLS certificate validation vulnerability in the clients accessing iCloud affecting bookmarks, calendar, tasks, and possibly other data types allowing for modification and disclosure of data.
Exposure of sensitive reminders, meetings, bookmarks (including bookmarklets that could allow logins to other saved websites). Users may store sensitive data within these data objects that are synced to iCloud, these are at risk of exposure through this vulnerability.
- Data Disclosed Includes:
- User Display Name
- Apple DAV Push Token
- Owner ID
- X-MobileMe-Auth Token (encoded in b64, prepended Owner ID)
- Push Key (prepended Owner ID)
- DAV Sync Token
- The full gziped text of the following data types:
- Calendar Events
- Safari Bookmarks
- Connections not validated include:
Vulnerability Disclosure Timeline: ================================== 2014-07-15: Researcher discovery 2014-07-16: Vendor Notification 2014-07-17: Vendor Confirmation of reciept of report 2014-10-02: Vendor Response/Feedback 2014-10-20: Vendor Fix/Patch 2014-10-20: Public Disclosure Impact ================================== CVSS Severity (version 2.0): CVSS v2 Base Score: 6.8 (MEDIUM) Impact Subscore: 6.4 Exploitability Subscore: 8.6 CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Medium Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
According to ElcomSoft, a Russian mobile forensics company, the data gathered from the MobileMe-Auth Token might be able to be used to get additional authentication tokens as well as a number of other interesting things like iOS iCloud backups. These are encrypted using retrievable keys that are also stored in the cloud.
So, assumedly, one executing an attack on CVE-2014-4449, would have the ability to not only see just the data going over the unauthenticated streams to the calendar, reminders, and bookmarks, but also could pivot those authentication keys to download and decrypt backups of iOS devices. Once a backup is retrieved and decrypted the attacker has access to all of the iPhone data using a variety of free or paid tools for forensic analysis.