Apple has issued a security update to fix a nine-month-old DNS parsing vulnerability affecting its AirPort routers. Apple has released a firmware update 7.6.7 and 7.7.7 that runs on AirPort Express, AirPort Extreme and AirPort Time Capsule base stations with 802.11n; AirPort Extreme and AirPort Time Capsule base stations with 802.11ac.
According to the Apple advisory states the old firmware was affected by a memory corruption issue in DNS data parsing. The experts of the company fixed the security issue by improving bounds checking.
The exploitation of the flaw CVE-2015-7029 could allow a remote attacker to cause arbitrary code execution.
“Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory corruption issue existed in DNS data parsing. This issue was addressed through improved bounds checking. CVE-2015-7029 : Alexandre Helie” states the Apple SA-2016-06-20-1 security advisory.
The experts noticed that the Apple SA-2016-06-20-1 security advisory just references a single remote code execution hole.
It is strange that Apple hasn’t provided further details about the security issue except for an acknowledgement to Alexandre Helie who discovered the bug.
It is likely that attackers can trigger the issue to capture DNS responses and manipulate them in order to redirect users to bogus websites.
“We can think of two ways that a DNS data-handling bug of this type might be exploited to take control of a vulnerable AirPort router.” wrote Paul Ducklin from Naked Security. “The first way is by feeding malformed DNS requests to an AirPort that is set up to reply to queries from the internet. The second is by feeding malformed replies to an AirPort that makes outbound DNS requests on behalf of the devices on its internal network. The latter is obviously a much more serious flaw, and we think it’s probably the sort of bug that Apple is talking about here.”
Over at Sophos’ Naked Security, Paul Ducklin speculates that since it’s described as remotely exploitable, the bug must make it easier to get an AirPort to accept fake DNS responses.
If you own an Apple AirPort patch it as soon as you can.
Security Affairs – (Apple AirPort, CVE-2015-7029 )