CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Security Infrastructure

Critical Flaw Exposes Mobile Devices, Networks to Attacks

A critical code execution vulnerability found by researchers in a popular ASN.1 compiler exposes mobile devices and networking equipment to remote attacks.

A critical code execution vulnerability found by researchers in a popular ASN.1 compiler exposes mobile devices and networking equipment to remote attacks.

ASN.1 is a standard and notation describing rules and structures for representing, transmitting, encoding and decoding data in telecommunications and computer networking. The standard is used for GSM, LTE and other wireless communications, intelligent transportation systems, lawful interception, signaling in telecommunications networks (SS7), data security, wireless broadband access, network management, videoconferencing, and industries such as airspace and aviation.

Vendors often use a dedicated compiler to translate ASN.1 specifications to source code that is incorporated into software systems responsible for processing and transmitting ASN.1 data, such as the software running on mobile phones, switching devices, and critical infrastructure management systems.

One such compiler is ASN1C from US-based Objective Systems. ASN1C is used by organizations in various industries to translate ASN.1 specifications into C, C++, C# or Java source code.

Researchers discovered that ASN1C’s runtime support libraries for C and C++ are plagued by a heap-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute arbitrary code on systems that use code generated by the compiler.

“The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources,” researchers explained. “These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.”

The flaw, identified as CVE-2016-5080 and rated critical based on its CVSS score, was reported to Objective Systems in early June and a hotfix was released less than two weeks later for the 7.0.1.x version. The fix will be integrated into the upcoming 7.0.2 version, but a release date has not been set.

CERT/CC has reached out to dozens of organizations whose products could be vulnerable, but so far only Qualcomm has confirmed that its software is affected. HPE and Honeywell said their products are not impacted.

Advertisement. Scroll to continue reading.

“It would be extremely difficult to exploit this bug,” Bill Anderson, encryption expert and executive at OptioLabs, told SecurityWeek. “To make use of the vulnerability, an attacker would need very specific knowledge of the target device and the ability to insert communications freely into the channel. It would likely take significant effort and resources to achieve an exploit that would reliably open up a telecom system to attack. The corollary is that if it’s possible, then government intelligence services are the likely candidates to try to do it and they do have the resources. One would have to assess whether spending resources on this particular weakness is more or less efficient than their other spying methods.” 

“While the affected vendor has already developed a fix for the problem that they have made available to any customer who wants it, the availability of a fix does not mean that all systems will be patched in any reasonable time, if ever,” Anderson added. “Complex systems like telecom networks are not patched overnight – development, testing and deployment can take a very long time. The chain from the ASN.1 vendor to the telecom OEM to the telecom provider actually deploying an update could take more than a year.”

*Updated with comments from Bill Anderson

Related: “Libotr” Library Flaw Exposes Popular IM Apps

Related: Old HTTPoxy Flaw Exposes Web Applications to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Security Infrastructure

While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency,...