Apple has released iOS 10.3.1, a feature update with a fix for one bug that allows an attacker within wi-fi range to execute code on the wi-fi chip.
According to Apple, “an attacker within range may be able to execute arbitrary code on the Wi-Fi chip”.
Affected iOS devices include the iPhone 5 and later, the iPad 4th generation and later, and the iPod 6th generation and later.
Apple credits Google’s Project Zero researcher Gal Benjamini for reporting the bug, tagged as CVE-2017-6957.
Some Android devices and wi-fi routers may be affected by this bug too, which resides in a Broadcom wi-fi HardMAC system on chip (SoC), according to Benjamini’s writeup on the Project Zero database for this bug.
Benjamini says Samsung’s Galaxy S7 (G930F, G930V), Galaxy S6 Edge (G925V), Galaxy S7 Edge (G935F, G9350), Galaxy Note 4 (N910F) and Galaxy S5 (G900F) are affected, while Google’s Nexus 5 and Nexus 6P are not.
Benjamini reported the bug to Broadcom on December 20, and the chip maker confirmed on March 23 -- three days after Google's 90 day disclosure deadline -- that it a fix was merged into customer branches.
Apple for its part said the “stack buffer overflow was addressed through improved input validation”.
The researcher found the bug present on Broadcom’s BCM4339 SoC with firmware version 18.104.22.168. While that chip is on the Nexus 5, the device wasn’t vulnerable because it didn’t support Cisco’s Cisco Centralized Key Management (CKKM) Fast Secure Roaming feature.
The feature “allows CCKM-authenticated client devices can roam from one AP to another without any perceptible delay during reassociation”, according to Cisco.
Benjamini found there was buffer overflow when parsing the CKKM reassociation response. Insufficient validation during this process allowed an attacker to craft a reassociation response that triggers a stack buffer overflow with attacker controlled data.
While the Google researcher believed the issue could affect numerous mobile devices and wifi routers, Broadcom said the only devices that are affected are those with CCKM Fast Secure Roaming enabled in the firmware’s RAM.
That means only devices with the "ccx" tag in the firmware version string support CCKM, explains Benjimani. He confirmed that Samsung's Galaxy devices did include this tag, while Nexus devices did not.