CVE-2011-3427 - Information Leak / Disclosure vulnerability in Apple TV and Iphone OS

Publication

2011-10-14

Last modification

2017-08-29

Summary

The Data Security component in Apple iOS before 5 and Apple TV before 4.4 does not properly restrict use of the MD5 hash algorithm within X.509 certificates, which makes it easier for man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate.

Description

Apple iOS is prone to a security vulnerability that may allow attackers to conduct spoofing attacks. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers or obtain sensitive information. This will aid in further attacks.

Solution

Updates are available. Please see the references or vendor advisory for more information.

Exploit

Attackers can use readily available tools to exploit this issue.

Classification

CWE-200 - Information Leak / Disclosure

Risk level (CVSS AV:N/AC:H/Au:N/C:P/I:N/A:N)

Low

2.6

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Apple Apple TV  4.3 , 4.0 , 4.2 , 4.1
Apple Iphone OS  3.1.2 , 3.0 , 4.1 , 3.2 , 4.2.5 , 4.3.0 , 3.1.3 , 4.3.1 , 3.1 , 4.0.1 , 4.2.8 , 4.3.3 , 4.3.5 , 3.2.1 , 4.2.1 , 3.2.2 , 4.3.2 , 4.0.2 , 4.0