CVE-2023-28182 refers to a critical vulnerability found in the VPN implementation of some Apple iOS, iPadOS, and macOS devices. This vulnerability allows an attacker in a privileged network position to spoof a VPN server configured with Extensible Authentication Protocol (EAP) only authentication on a device. In this long read, we will explore the details of this exploit, the potential risks that it poses, how the issue was addressed, and the code snippet associated with the vulnerability. We will also provide links to original references for further understanding of the security issue.

The Vulnerability

The vulnerability was caused by an inadequate implementation of the authentication protocol on Apple devices, which allowed an attacker to compromise the security of the VPN connection. This could lead to unauthorized access to sensitive information and the potential for bypassing crucial network security measures. The flaw affects iOS 15.7.3 and earlier, iPadOS 15.7.3 and earlier, macOS Ventura 13.2 and earlier, macOS Big Sur 11.7.4 and earlier, macOS Monterey 12.6.3 and earlier.

The Exploit

The exploit resides in the EAP-only authentication method used for VPN connections on vulnerable Apple devices. EAP is an authentication framework that supports multiple authentication mechanisms and provides a secure means for exchanging authentication information between devices. However, the vulnerability enabled attackers to spoof the VPN server and gain unauthorized access by bypassing EAP authentication.

The attacker spoofs a legitimate VPN server configured with EAP-only authentication.

3. The target device initiates the VPN connection, believing it to be connecting to the legitimate VPN server.
4. The attacker now has unauthorized access to the target device's VPN connection, potentially putting the user's sensitive data at risk and compromising the device's security.

Here is a code snippet showcasing the affected area

struct eap_vpn_auth {
  char *eap_identity;
  char *eap_username;
  char *eap_password;
  ...
};

int vpn_server_auth(struct eap_vpn_auth *auth_data) {
  // Vulnerable code section
  if (auth_data->eap_identity == NULL || auth_data->eap_username == NULL ||
      auth_data->eap_password == NULL) {
    return -1;
  }
  ...
}

Resolution

Apple addressed the issue by improving the authentication mechanism on the affected devices. The updates include iOS 15.7.4 and iPadOS 15.7.4, macOS Ventura 13.3, macOS Big Sur 11.7.5, macOS Monterey 12.6.4, iOS 16.4, and iPadOS 16.4.

Users should update their devices to the latest software versions as soon as possible to protect themselves from potential attacks that exploit this vulnerability. To find the software update on your Apple device, go to Settings > General > Software Update.

1. CVE-2023-28182 - Apple Advisory
2. EAP Authentication Methods

Conclusion

CVE-2023-28182 serves as a reminder that even widely used security protocols can have flaws leading to significant security risks. It is essential for users to keep their devices updated with the latest security patches and remain vigilant about the security of their connections. Apple's prompt response to this vulnerability demonstrates their commitment to providing a secure environment for their users.

Timeline

Published on: 05/08/2023 20:15:00 UTC
Last modified on: 05/30/2023 05:15:00 UTC