Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Critical Flaw Exposes Mobile Devices, Networks to Attacks

A critical code execution vulnerability found by researchers in a popular ASN.1 compiler exposes mobile devices and networking equipment to remote attacks.

A critical code execution vulnerability found by researchers in a popular ASN.1 compiler exposes mobile devices and networking equipment to remote attacks.

ASN.1 is a standard and notation describing rules and structures for representing, transmitting, encoding and decoding data in telecommunications and computer networking. The standard is used for GSM, LTE and other wireless communications, intelligent transportation systems, lawful interception, signaling in telecommunications networks (SS7), data security, wireless broadband access, network management, videoconferencing, and industries such as airspace and aviation.

Vendors often use a dedicated compiler to translate ASN.1 specifications to source code that is incorporated into software systems responsible for processing and transmitting ASN.1 data, such as the software running on mobile phones, switching devices, and critical infrastructure management systems.

One such compiler is ASN1C from US-based Objective Systems. ASN1C is used by organizations in various industries to translate ASN.1 specifications into C, C++, C# or Java source code.

Researchers discovered that ASN1C’s runtime support libraries for C and C++ are plagued by a heap-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute arbitrary code on systems that use code generated by the compiler.

“The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources,” researchers explained. “These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.”

The flaw, identified as CVE-2016-5080 and rated critical based on its CVSS score, was reported to Objective Systems in early June and a hotfix was released less than two weeks later for the 7.0.1.x version. The fix will be integrated into the upcoming 7.0.2 version, but a release date has not been set.

Advertisement. Scroll to continue reading.

CERT/CC has reached out to dozens of organizations whose products could be vulnerable, but so far only Qualcomm has confirmed that its software is affected. HPE and Honeywell said their products are not impacted.

“It would be extremely difficult to exploit this bug,” Bill Anderson, encryption expert and executive at OptioLabs, told SecurityWeek. “To make use of the vulnerability, an attacker would need very specific knowledge of the target device and the ability to insert communications freely into the channel. It would likely take significant effort and resources to achieve an exploit that would reliably open up a telecom system to attack. The corollary is that if it’s possible, then government intelligence services are the likely candidates to try to do it and they do have the resources. One would have to assess whether spending resources on this particular weakness is more or less efficient than their other spying methods.” 

“While the affected vendor has already developed a fix for the problem that they have made available to any customer who wants it, the availability of a fix does not mean that all systems will be patched in any reasonable time, if ever,” Anderson added. “Complex systems like telecom networks are not patched overnight – development, testing and deployment can take a very long time. The chain from the ASN.1 vendor to the telecom OEM to the telecom provider actually deploying an update could take more than a year.”

*Updated with comments from Bill Anderson

Related: “Libotr” Library Flaw Exposes Popular IM Apps

Related: Old HTTPoxy Flaw Exposes Web Applications to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).