Apple Patches RCE Flaw in AirPort Routers

Apple has released firmware updates for its AirPort routers to address a remote code execution (RCE) vulnerability.

The flaw, tracked as CVE-2015-7029, appears to have been reported to the company last year by Alexandre Helie. In its advisory, Apple only revealed that the issue is a memory corruption related to DNS data parsing that allows a remote attacker to execute arbitrary code.

Paul Ducklin, senior security advisor at Sophos, believes there are two methods that can be used to exploit these types of vulnerabilities in order to take control of an AirPort router.

"The first way is by feeding malformed DNS requests to an AirPort that is set up to reply to queries from the internet. The second is by feeding malformed replies to an AirPort that makes outbound DNS requests on behalf of the devices on its internal network," Ducklin explained. "The latter is obviously a much more serious flaw, and we think it's probably the sort of bug that Apple is talking about here."Apple Airport vulnerability patched

According to the expert, these types of vulnerabilities are not difficult to exploit. An attacker needs to register a domain, set up a malicious DNS server to answer queries about that domain, and send the targeted user a link to a webpage containing content apparently hosted on the attack domain.

"All that matters is that some device on the target network should decide to ask an unpatched AirPort router, ‘Where do I find example.org?'," Ducklin explained. "The router will then pass this question on to the global DNS network, which will answer by referring the router to your own, booby-trapped DNS server, assuming that's registered as the official DNS server for your ‘attack domain'."

"Your ‘attack domain' can then send back a booby-trapped reply to take control of the victim's router remotely, and thereby potentially to compromise his entire network," the expert said.

Apple patched the vulnerability with the release of firmware versions 7.6.7 and 7.7.7 for AirPort Express, Extreme, and Time Capsule base stations with 802.11n, and AirPort Extreme and Time Capsule devices with 802.11ac. The firmware updates can be installed using the AirPort Utility for OS X or iOS.