The flaw could allow attackers to take over users’ entire networks, say security researchers
Apple has published a patch for what it called a critical security bug in its AirPort and AirPort Extreme Wi-Fi routers, with security researchers recommending users install the update immediately.
Apple didn’t disclose any information about the bug, other than to state that it could allow a remote attacker to execute malicious code on a device. Routers can be a particularly attractive target for hackers as they can compromise an entire network and can be difficult to detect.
The bug was caused by a memory corruption error in the firmware’s DNS data parsing, and was fixed through improved bounds checking, Apple said in an advisory.
The vulnerability has the designation CVE-2015-7029, but the Common Vulnerabilities and Exposures (CVE) database states only that the bug was reported more than nine months ago.
The firmware update version 7.6.7 and 7.7.7 is available for AirPort Express, AirPort Extreme and AirPort Time Capsule base stations with 802.11n and AirPort Extreme and AirPort Time Capsule base stations with 802.11ac, Apple said.
Given the severity attributed to the bug by Apple, computer security researchers said the issue is likely to be exploitable via malformed DNS replies sent to an AirPort router.
“We think (that is) probably the sort of bug that Apple is talking about here,” said Sophos researcher Paul Ducklin. “You almost always want your router to perform requests to the outside as part of the service it provides to your internal network, so most routers are set up to work this way.”
He said such a vulnerability could be exploited using a booby-trapped DNS server by sending the target some content, such as a web page, containing a reference to the malicious domain.
The target router’s query would be sent by the global DNS system to the malicious domain, which would send a reply formed in such a way as to exploit the bug, thus potentially compromising the entire network, Ducklin said.
“Remote code execution bugs are always worth fixing, especially if they can be triggered by apparently innocent and unexceptional network activity that happens automatically, without users needing to click through any warning dialogs,” he wrote.
Last year researchers discovered an attack successfully carried out in the wild that involved taking over a Cisco router and replacing its entire operating system, effectively granting unrestricted access to the network.
The attack, which involves replacing the operating system image embedded in the router’s firmware with a modified version that grants control to an attacker, was previously believed to be “theoretical in nature and especially in use”, according to FireEye’s Mandiant unit, which discovered the malicious system images.
FireEye said it found at least 14 such router implants, using a firmware modification it called “SYNful Knock”, spread across the Ukraine, the Philippines, Mexico and India, but said at the time it was likely that there were more compromised routers that remained undiscovered.