VU#790839: Objective Systems ASN1C generates code that contains a heap overlow vulnerability

Vulnerability Note VU#790839

Objective Systems ASN1C generates code that contains a heap overlow vulnerability

Original Release date: 19 Jul 2016 | Last revised: 19 Jul 2016

Overview

ASN.1 is a standard representation of data for networking and telecommunications applications. Objective System’s ASN1C compiler generates C code that may be vulnerable to heap overflow.

Description

CWE-122: Heap-based Buffer Overflow – CVE-2016-5080

ASN1C is used to generate high-level-language code from ASN.1 syntax. According to the reporter, the generated C and C++ code from ASN1C may be vulnerable to heap overflow in the generated rtxMemHeapAlloc function. It is currently unclear if a similar vulnerability exists in other output languages such as Java. and C#.

A remote unauthenticated attacker may be able to exploit the heap overflow to execute arbitrary code on the underlying system, but the availability of this exploit depends on whether the application utilizes the rtxMemHeapAlloc function in an unsafe way. In particular, the application would likely need to process ASN.1 data from untrusted sources to be vulnerable. Developers making use of ASN1C in their products should audit their code to determine if their application is vulnerable. The CVSS score below reflects a worst-case scenario, and may not apply to all instances.

The researcher has more information available in a security advisory.

Impact

The impact may vary depending on how the vulnerable code is used in an application. In worst case, an application that utilizes ASN.1 data from untrusted sources may be exploited by a remote unauthenticated attacker to execute arbitrary code with permissions of the application (typically root/SYSTEM).

Solution

Apply an update

Objective Systems has released a hotfix for the ASN1C 7.0.1.x series to correct this flaw. Customers using the vulnerable features should contact Objective Systems directly to request the hotfix. Customers may also alternately use a different heap manager, or edit the generated code by hand to remove the heap overflow.

ASN1C version 7.0.2 will contain the fix for all customers, but its release date is currently not set.

Vendor Information (Learn More)

The vendors listed below were primarily sourced from Objective Systems’ customer list. The CERT/CC has no further evidence that any particular vendor is impacted; vendors are encouraged to reach out to us to clarify their status.

Vendor	Status	Date Notified	Date Updated
Objective Systems	Affected	–	20 Jun 2016
QUALCOMM Incorporated	Affected	20 Jun 2016	13 Jul 2016
Hewlett Packard Enterprise	Not Affected	20 Jun 2016	01 Jul 2016
Honeywell	Not Affected	20 Jun 2016	07 Jul 2016
Alcatel-Lucent	Unknown	20 Jun 2016	20 Jun 2016
AT&T	Unknown	20 Jun 2016	20 Jun 2016
Broadcom	Unknown	20 Jun 2016	20 Jun 2016
BT	Unknown	20 Jun 2016	20 Jun 2016
Cisco	Unknown	20 Jun 2016	20 Jun 2016
Deutsche Telekom	Unknown	20 Jun 2016	20 Jun 2016
Ericsson	Unknown	20 Jun 2016	20 Jun 2016
General Dynamics	Unknown	20 Jun 2016	20 Jun 2016
Google	Unknown	20 Jun 2016	20 Jun 2016
Hitachi	Unknown	20 Jun 2016	20 Jun 2016
Huawei Technologies	Unknown	20 Jun 2016	20 Jun 2016

If you are a vendor and your product is affected, let
us know.View More &raquo

CVSS Metrics (Learn More)

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	7.1	E:U/RL:TF/RC:C
Environmental	5.4	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ivan Arce of Programa STIC at Fundación Dr. Manuel Sadosky for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2016-5080
Date Public:
18 Jul 2016
Date First Published:
19 Jul 2016
Date Last Updated:
19 Jul 2016
Document Revision:
21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Vulnerabilities

via CERT Recently Published Vulnerability Notes http://ift.tt/15YRALE

July 19, 2016 at 09:47AM