CVE-2008-4227

Vulnerability

Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 through 2.1 contain a flaw in the handling of PPTP VPN connections. The operating system changes the encryption level of PPTP VPN connections to a lower level than was previously used, without user notification or consent [1]. This means connections that should be secured with stronger encryption are silently downgraded to a weaker cipher.

Exploitation

An attacker does not require authentication or direct access to the device. The attack can be performed remotely by any party who can observe network traffic between the iPhone/iPod touch and the PPTP VPN server. By passively intercepting the encrypted traffic, the attacker can decrypt it more easily because a weaker encryption scheme is in use. No user interaction beyond establishing the VPN connection is needed; the downgrade happens automatically on the device.

Impact

Successful exploitation allows a remote attacker to obtain sensitive information transmitted over the VPN connection (breach of confidentiality) or to potentially hijack the VPN session (integrity compromise). The attacker does not gain control of the device itself, but can read or manipulate traffic that the user believes is strongly encrypted. The impact is limited to PPTP VPN sessions; other VPN protocols or non-VPN communications are not affected.

Mitigation

Apple addressed this issue in iOS 2.2 and iOS for iPod touch 2.2, released on November 21, 2008 [1]. Users should update affected devices to version 2.2 or later. No workaround is available for devices that cannot be updated. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.