CVE-2011-0228 iOS certificate chain validation issue in handling of X.509 certificates

Recurity Labs recently conducted a project for the German Federal Office for Information Security (BSI), which (amongst others) also concerned the iOS platform. During the analysis, a severe vulnerability in the iOS X.509 implementation was identified. When validating certificate chains, iOS fails to properly check the X.509v3 extensions of the certificates in the chain. In particular, the "Basic Constraints" section of the supplied certificates are not verified by iOS. In the Basic Constraints section, the issuer of a certificate can encode whether or not the issued certificate is a CA certificate, i.e. whether or not it may be used to sign other certificates. Not checking the CA bit of a certificate basically means that every end-entity certificate can be used to sign further certificates. To provide an example: When a CA issues a certificate to a Web site, the CA will usually set the CA bit of this certificate to false. Assume, the attacker has such a certificate, issued by a trusted CA to The attacker can now use their private key to sign another certificate, which may contain arbitraty data. This could for instance be a certificate for or even worse, it could be a certificate containing multiple common names: *.*, *.*.*, ... iOS fails to check whether the attacker's certificate was actually allowed to sign subsequent certificates and considers the so created univeral certificate as valid. The attacker could now use this certificate to intercept all SSL/TLS traffic originating from an iOS device. However, SSL/TLS is not the only use of X.509. Every application that makes use of the iOS crypto framework to validate chains of X.509 certificates is vulnerable.

The idea that Apple could have made a 8 year old mistake was suggested by Bernhard 'bruhns' Brehm.

To test whether your iOS version is vulnerable, Recurity Labs has set up a Web site: If the Safari browser on your iDevice allows you to visit this site without issuing a warning, your device is vulnerable. The certificate for this site was created using the above described technique. Please feel free to validate this by inspecting the certificate that the HTTP server supplies to you.