About the security content of Time Capsule and AirPort Base Station (802.11n) Firmware 7.5.2

This document describes the security content of Time Capsule and AirPort Base Station (802.11n) Firmware 7.5.2.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

Time Capsule and AirPort Base Station (802.11n) Firmware 7.5.2

• CVE-ID: CVE-2008-4309

  Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule

  Impact: A remote attacker may terminate the operation of the SNMP service

  Description: An integer overflow exists in the netsnmp_create_subtree_cache function. By sending a maliciously crafted SNMPv3 packet, an attacker may cause the SNMP server to terminate, denying service to legitimate clients. By default, the 'WAN SNMP' configuration option is disabled, and the SNMP service is accessible only to other devices on the local network. This issue is addressed by applying the Net-SNMP patches.

• CVE-ID: CVE-2009-2189

  Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule

  Impact: Receiving a large number of IPv6 Router Advertisement (RA) and Neighbor Discovery (ND) packets from a system on the local network may cause the base station to restart

  Description: A resource consumption issue exists in the base station's handling of Router Advertisement (RA) and Neighbor Discovery (ND) packets. A system on the local network may send a large number of RA and ND packets that could exhaust the base station's resources, causing it to restart unexpectedly. This issue is addressed by rate limiting incoming ICMPv6 packets. Credit to Shoichi Sakane of the KAME project, Kanai Akira of Internet Multifeed Co., Shirahata Shin and Rodney Van Meter of Keio University, and Tatuya Jinmei of Internet Systems Consortium, Inc. for reporting this issue.

• CVE-ID: CVE-2010-0039

  Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule

  Impact: An attacker may be able to query services behind an AirPort Base Station or Time Capsule's NAT from the source IP of the router, if any system behind the NAT has a portmapped FTP server

  Description: The AirPort Extreme Base Station and Time Capsule's Application-Level Gateway (ALG) rewrites incoming FTP traffic, including PORT commands, to appear as if it is the source. An attacker with write access to an FTP server inside the NAT may issue a malicious PORT command, causing the ALG to send attacker-supplied data to an IP and port behind the NAT. As the data is resent from the Base Station, it could potentially bypass any IP-based restrictions for the service. This issue is addressed by not rewriting inbound PORT commands via the ALG. Credit to Sabahattin Gucukoglu for reporting this issue.

• CVE-ID: CVE-2009-1574

  Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule

  Impact: A remote attacker may be able to cause a denial of service

  Description: A null pointer dereference in racoon's handling of fragmented ISAKMP packets may allow a remote attacker to cause an unexpected termination of the racoon daemon. This issue is addressed through improved validation of fragmented ISAKMP packets.

• CVE-ID: CVE-2010-1804

  Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule

  Impact: A remote attacker may cause the device to stop processing network traffic

  Description: An implementation issue exists in the network bridge. Sending a maliciously crafted DHCP reply to the device may cause it to stop responding to network traffic. This issue affects devices that have been configured to act as a bridge, or are configured in Network Address Translation (NAT) mode with a default host enabled. By default, the device operates in NAT mode, and no default host is configured. This update addresses the issue through improved handling of DHCP packets on the network bridge. Credit to Stefan R. Filipek for reporting this issue.

Installation note for Firmware version 7.5.2

Firmware version 7.5.2 is installed into Time Capsule or AirPort Base Station with 802.11n via AirPort Utility, provided with the device.

It is recommended that AirPort Utility 5.5.2 be installed before upgrading to Firmware version 7.5.2.

AirPort Utility 5.5.2 may be obtained through Apple's Software Download site: http://www.apple.com/support/downloads/.