iOS 8.1 and CVE-2014-4449

2014-10-20

Today, Apple released security advisory APPLE-SA-2014-10-20-1 for iOS 8.1 that includes CVE-2014-4449.

This relates to a TLS certificate validation vulnerability in the clients accessing iCloud affecting bookmarks, calendar, tasks, and possibly other data types allowing for modification and disclosure of data.

Exposure of sensitive reminders, meetings, bookmarks (including bookmarklets that could allow logins to other saved websites). Users may store sensitive data within these data objects that are synced to iCloud, these are at risk of exposure through this vulnerability.

Data Disclosed Includes:

User Display Name

Apple DAV Push Token

Owner ID

X-MobileMe-Auth Token (encoded in b64, prepended Owner ID)

Push Key (prepended Owner ID)

DAV Sync Token

The full gziped text of the following data types:: Reminders; Calendar Events; Safari Bookmarks

Connections not validated include:: p11-caldav.icloud.com; p11-bookmarks.icloud.com


Vulnerability Disclosure Timeline:
==================================
2014-07-15:     Researcher discovery
2014-07-16:     Vendor Notification
2014-07-17:     Vendor Confirmation of reciept of report
2014-10-02:     Vendor Response/Feedback
2014-10-20:     Vendor Fix/Patch
2014-10-20:     Public Disclosure

Impact
==================================
CVSS Severity (version 2.0):
CVSS v2 Base Score: 6.8 (MEDIUM)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of
    information; Allows unauthorized modification;
    Allows disruption of service

--speculation ahead--
According to ElcomSoft, a Russian mobile forensics company, the data gathered from the MobileMe-Auth Token might be able to be used to get additional authentication tokens as well as a number of other interesting things like iOS iCloud backups. These are encrypted using retrievable keys that are also stored in the cloud.

So, assumedly, one executing an attack on CVE-2014-4449, would have the ability to not only see just the data going over the unauthenticated streams to the calendar, reminders, and bookmarks, but also could pivot those authentication keys to download and decrypt backups of iOS devices. Once a backup is retrieved and decrypted the attacker has access to all of the iPhone data using a variety of free or paid tools for forensic analysis.