Apple AirPort routers get critical security update

Apple just rolled out a security fix for its AirPort range of wireless routers.

The update is slightly mysterious: it fixes a vulnerability first reported more than nine months ago, dubbed CVE-2015-7029, about which we still know nothing from the CVE bug database except that “this candidate [bug] has been reserved.”

The mystery continues in Apple’s SA-2016-06-20-1 security advisory, which lists a single remote code execution hole with the rather bland description:

A memory corruption issue existed in DNS data parsing. This issue was addressed through improved bounds checking.

We can think of two ways that a DNS data-handling bug of this type might be exploited to take control of a vulnerable AirPort router.

The first way is by feeding malformed DNS requests to an AirPort that is set up to reply to queries from the internet.

The second is by feeding malformed replies to an AirPort that makes outbound DNS requests on behalf of the devices on its internal network.

The latter is obviously a much more serious flaw, and we think it’s probably the sort of bug that Apple is talking about here.

After all, you almost never want your home router to answer DNS queries from the outside, so you almost never configure your router to do so.

But you almost always want your router to perform requests to the outside as part of the service it provides to your internal network, so most routers are set up to work this way.

Feeding back bad replies

Sadly, it’s easier than you might think to feed booby-trapped DNS replies to a router you want to attack.

All you need to do is register a domain name, such as example.org; set up a booby-trapped DNS server to answer queries about the domain; and send your victims some sort of content that includes a reference to the booby-trapped domain.

For example, you might create a web page that references an image that claims to be stored on a server at the offending domain.

It doesn’t matter whether that image really exists, or even if there’s a web server to host images at all.

All that matters is that some device on the target network should decide to ask an unpatched AirPort router, “Where do I find example.org?”

The router will then pass this question on to the global DNS network, which will answer by referring the router to your own, booby-trapped DNS server, assuming that’s registered as the official DNS server for your “attack domain.”

Your “attack domain” can then send back a booby-trapped reply to take control of the victim’s router remotely, and thereby potentially to compromise his entire network.

What to do?

Remote code execution bugs are always worth fixing, especially if they can be triggered by apparently innocent and unexceptional network activity that happens automatically, without users needing to click through any warning dialogs.

In other words, if you’re an Apple AirPort owner, get busy patching this one as soon as you can.

Even though there are no reports suggesting that this vulnerability is known to cybercriminals, you might as well get ahead, just in case details of how to exploit CVE-2015-7029 become known to the underworld.

For vanilla AirPort Base Stations, see Apple download DL1880.

For the Airport Extreme and AirPort Time Capsule products, see DL1708.