A critical code execution vulnerability found by researchers in a popular ASN.1 compiler exposes mobile devices and networking equipment to remote attacks.
ASN.1 is a standard and notation describing rules and structures for representing, transmitting, encoding and decoding data in telecommunications and computer networking. The standard is used for GSM, LTE and other wireless communications, intelligent transportation systems, lawful interception, signaling in telecommunications networks (SS7), data security, wireless broadband access, network management, videoconferencing, and industries such as airspace and aviation.
Vendors often use a dedicated compiler to translate ASN.1 specifications to source code that is incorporated into software systems responsible for processing and transmitting ASN.1 data, such as the software running on mobile phones, switching devices, and critical infrastructure management systems.
One such compiler is ASN1C from US-based Objective Systems. ASN1C is used by organizations in various industries to translate ASN.1 specifications into C, C++, C# or Java source code.
Researchers discovered that ASN1C’s runtime support libraries for C and C++ are plagued by a heap-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute arbitrary code on systems that use code generated by the compiler.
“The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources,” researchers explained. “These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.”
The flaw, identified as CVE-2016-5080 and rated critical based on its CVSS score, was reported to Objective Systems in early June and a hotfix was released less than two weeks later for the 7.0.1.x version. The fix will be integrated into the upcoming 7.0.2 version, but a release date has not been set.
CERT/CC has reached out to dozens of organizations whose products could be vulnerable, but so far only Qualcomm has confirmed that its software is affected. HPE and Honeywell said their products are not impacted.
“It would be extremely difficult to exploit this bug,” Bill Anderson, encryption expert and executive at OptioLabs, told SecurityWeek. “To make use of the vulnerability, an attacker would need very specific knowledge of the target device and the ability to insert communications freely into the channel. It would likely take significant effort and resources to achieve an exploit that would reliably open up a telecom system to attack. The corollary is that if it’s possible, then government intelligence services are the likely candidates to try to do it and they do have the resources. One would have to assess whether spending resources on this particular weakness is more or less efficient than their other spying methods.”
“While the affected vendor has already developed a fix for the problem that they have made available to any customer who wants it, the availability of a fix does not mean that all systems will be patched in any reasonable time, if ever,” Anderson added. “Complex systems like telecom networks are not patched overnight – development, testing and deployment can take a very long time. The chain from the ASN.1 vendor to the telecom OEM to the telecom provider actually deploying an update could take more than a year.”
*Updated with comments from Bill Anderson