Apple plugged three security holes in the latest update of its AirPort Base Station and Time Capsule products, including a serious vulnerability in the implementation of the IPv6 Neighbor Discovery Protocol.
The aforementioned bug leaves users open to attack via a maliciously crafted message due to improper validation of the origin of Neighbor Discovery messages. According to Apple, a remote user can exploit the situation to cause a denial of service, observe private network traffic or inject forged packets.
The update resolves the issue by performing additional validation of the messages.
The latest releases, Version 7.4.1, also fix two issues that could be exploited to cause a denial-of-service condition. One is an implementation issue in the handling of incoming ICMPv6 “Packet Too Big” messages. When IPv6 support is enabled, IPv6 nodes use Internet Control Message Protocol Version 6 (ICMPv6) to report errors encountered while processing packets. Improper handling of ICMPv6 messages can cause the device to shut down unexpectedly, Apple warned.
The final bug is due to an out-of-bounds memory access issue that exists in the handling of Point-to-Point Protocol over Ethernet (PPPoE) discovery packets. An attacker could exploit the vulnerability by sending a maliciously crafted PPPoE discovery packet.
“Firmware Version 7.4.1 is installed into Time Capsule or AirPort Base Station with 802.11n via AirPort Utility, provided with the device,” according to Apple. “AirPort Utility 5.4.1 or later should be installed before upgrading to firmware Version 7.4.1. AirPort Utility 5.4.1 or later may be obtained through the Apple Support Downloads site.”