Apple fixes serious flaw in AirPort wireless routers
According to Apple security, the flaw is a memory corruption issue stemming from DNS (Domain Name System) data parsing that could lead to arbitrary code execution.
The company released firmware updates 7.6.7 and 7.7.7 for AirPort Express, AirPort Extreme and AirPort Time Capsule base stations with 802.11n Wi-Fi, as well as AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Wi-Fi.
The AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS can be used to install the new firmware versions on AirPort devices, the company said in an advisory.
As is typical for Apple security announcements, the company did not release details about possible exploitation scenarios and did not assign a severity rating for the flaw. However "arbitrary code execution," especially through a remote vector like DNS, is as bad as it can possibly get for a vulnerability.
What is not clear is whether the data parsing issue is in the DNS server or DNS client functionality.
A router like AirPort can serve as a local DNS resolver for devices on a network. This means that it receives DNS queries from computers and passes those queries upstream through the global Internet DNS chain.
On the other hand, routers also act like DNS clients, asking other DNS servers on the Internet to resolve host names.
If the error is in the parsing of queries received from LAN computers, it would limit the attack to the local network. Whereas, if the flaw is in the parsing of DNS responses, it could be exploited remotely.
When a DNS client asks a server to resolve a domain name, the query is eventually passed to one of the Internet's 13 so-called root DNS servers -- in reality clusters of servers. Those servers indicate the authoritative DNS server for the queried domain name and it's that authoritative server that replies with the requested information.
Attackers could register rogue domain names and configure the authoritative DNS server for them to respond with specifically crafted data that would exploit the flaw. They would then have to trick a computer from behind an AirPort router to send a DNS query for one of their domain names, for example by tricking a user to click on a link.
Another unknown is the privilege with which attackers would execute malicious code if this flaw is successfully exploited. If the code is executed under the root account, it could lead to a full device compromise.
By controlling an AirPort device, attackers could launch various attacks against local network computers. They could hijack search queries, insert rogue ads into Web pages and even direct users to malicious websites when they try to access legitimate ones.
Giving the potentially serious impact of this vulnerability and the fact that DNS is a critical service that can't be easily disabled, users are advised to install the updated firmware as soon as possible.