Skip to content
Naked Security Naked Security

Apple AirPort routers get critical security update

Apple AirPort users, patch ASAP. It sounds as though a crook could take over your AirPort from afar with a sneaky DNS reply...

Apple just rolled out a security fix for its AirPort range of wireless routers.

The update is slightly mysterious: it fixes a vulnerability first reported more than nine months ago, dubbed CVE-2015-7029, about which we still know nothing from the CVE bug database except that “this candidate [bug] has been reserved.”

The mystery continues in Apple’s SA-2016-06-20-1 security advisory, which lists a single remote code execution hole with the rather bland description:

A memory corruption issue existed in DNS data parsing. This issue was addressed through improved bounds checking.

We can think of two ways that a DNS data-handling bug of this type might be exploited to take control of a vulnerable AirPort router.

The first way is by feeding malformed DNS requests to an AirPort that is set up to reply to queries from the internet.

The second is by feeding malformed replies to an AirPort that makes outbound DNS requests on behalf of the devices on its internal network.

The latter is obviously a much more serious flaw, and we think it’s probably the sort of bug that Apple is talking about here.

After all, you almost never want your home router to answer DNS queries from the outside, so you almost never configure your router to do so.

But you almost always want your router to perform requests to the outside as part of the service it provides to your internal network, so most routers are set up to work this way.

Feeding back bad replies

Sadly, it’s easier than you might think to feed booby-trapped DNS replies to a router you want to attack.

All you need to do is register a domain name, such as; set up a booby-trapped DNS server to answer queries about the domain; and send your victims some sort of content that includes a reference to the booby-trapped domain.

For example, you might create a web page that references an image that claims to be stored on a server at the offending domain.

It doesn’t matter whether that image really exists, or even if there’s a web server to host images at all.

All that matters is that some device on the target network should decide to ask an unpatched AirPort router, “Where do I find”

The router will then pass this question on to the global DNS network, which will answer by referring the router to your own, booby-trapped DNS server, assuming that’s registered as the official DNS server for your “attack domain.”

Your “attack domain” can then send back a booby-trapped reply to take control of the victim’s router remotely, and thereby potentially to compromise his entire network.

What to do?

Remote code execution bugs are always worth fixing, especially if they can be triggered by apparently innocent and unexceptional network activity that happens automatically, without users needing to click through any warning dialogs.

In other words, if you’re an Apple AirPort owner, get busy patching this one as soon as you can.

Even though there are no reports suggesting that this vulnerability is known to cybercriminals, you might as well get ahead, just in case details of how to exploit CVE-2015-7029 become known to the underworld.

For vanilla AirPort Base Stations, see Apple download DL1880.

For the Airport Extreme and AirPort Time Capsule products, see DL1708.


Not sure why the mailing list has the e-mail today about a patch that was released a month ago. That is the part I find odd about this…


Are you saying this patch was actually released a month ago but only announced now?

I received Apple’s official notification at 2016-06-20T20:00Z, shortly before I wrote this article, and the security advisory itself is numbered “SA-2016-06-20-1” (it was followed by a second advisory about Flash).

If the patch was out for a month already, Apple kept jolly quiet about it!


Yes, this patch was released in May. The post date says: May 24, 2016. And the version number is consistent with the one on my Airport Extreme that i updated last month.


Weird that Apple waited nearly a month before writing the Security Advisory. There are two versions of the patch, for 7.6.7 and 7.7.7. Perhaps it’s only now that fixes are available for the whole AirPort family? (Apple does have a not-always-obeyed rule that it only talks about vulns and exploits after all the patches are out.)


The postdate on 7.6.7 and 7.7.7 are consistent, so it would seem that they patched the whole AirPort range last month and just now announced it. It is weird though, possibly some miscommunication within Apple or lack thereof.


CERT issued an mDNSResponder advisory credited to the same researcher on the same day. VU#143335


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!