A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable...
to heap memory corruption attacks, resulting in remote code execution.
The vulnerability results when Abstract Syntax Notation One code, or ASN.1 code, that has been compiled with Objective Systems' ASN1C tool is integrated with the rest of a C/C++ project's code and turned into an executable file -- those are the programs that may be vulnerable to attacks. The researcher who reported the flaw, Iván Arce, told SearchSecurity by email the process of checking for the existence of the vulnerability in production code would not be easy.
"There is no easy way to automate it," said Arce, who is program director of security in information communications technology at the Fundación Dr. Manuel Sadosky, a public-private research institution based in Buenos Aires, Argentina. "Neither automated source code analysis nor binary analysis produce definitive proof that a given system is vulnerable, but vendors that use ASN1C to generate code they use in their software should be able to quickly assess if the problem requires more in-depth investigation in their product's source-code repositories."
ASN1C is an ASN.1 compiler sold by Objective Systems Inc., based in Exton, Pa., and is used by dozens of leading networking and telecommunications vendors. The only vendors currently listed as being affected by the vulnerability are Objective Systems and Qualcomm; Hewlett Packard Enterprise, Honeywell and Siemens are not affected, but the status of products from AT&T, Cisco, Sony and dozens more is still unknown, according to a CERT security advisory.
"The vulnerability is an integer overflow that can cause buffer overflow," Qualcomm said in a statement to SearchSecurity, but "due to the ASN.1 PER [packet encoding rule] specified in the cellular standards and implemented in our products, we believe the vulnerability is not exploitable. This is because in order to exploit it, an attacker needs to send a large value in a specially crafted network signaling message; but the encoding rule specified in the 3G/4G Standards and in our products does not allow such a large value to get through." Qualcomm is still actively working with Objective Systems and propagating the patch to its affected products.
ASN.1 is a specification for the formal notation used to represent data transmitted by telecommunications and networking protocols. The ASN1C ASN.1 compiler translates ASN.1 source specifications into source code.
Paul Vixie, CEO at Farsight Security Inc., based in San Mateo, Calif., said, "ASN.1 is comparable to JSON as a portable external data representation. ASN.1 is older than JSON, and [it] is more space- and CPU-efficient than JSON."
Objective Systems has already made an interim fix in its version v7.0.1.x available to customers on request, with the fix incorporated in its upcoming v7.0.2 release.
CERT gave the vulnerability a critical base score of 9.3 on the Common Vulnerability Scoring System (CVSS) scale. The flaw was assigned to CVE-2016-5080.
"The scope of this vulnerability is global, and, as a result, the global economy is at risk while affected products are found, patched and updated," Vixie said. "The high CVSS score is entirely warranted in this case."
"But that score assumes the worst-case assessment," said Scott Petry, CEO and founder at Authentic8 Inc., the Mountain View, Calif., cloud browser firm. "You could think of it as a 9.3 for those whose code is using the affected libs for managing heap. But this isn't like Heartbleed, where any data that is intercepted may lead to the vulnerability. The ability to execute the exploit relies on grabbing the right data from the right exposed system, which may turn out to be a small number."
Details of the flaw
Arce said the vulnerability traces to use of the rtxMemHeapAlloc function, a component of the compiler runtime support libraries. "Code generated by the ASN1C compiler uses that function for memory management purposes," he said. "Vendors that use ASN1C and did not replace rtxMemHeapAlloc with their own memory management functions are potentially vulnerable."
"They would be vulnerable if their code takes data encoded in ASN.1 from an untrusted source -- for example, the network -- and then use the code generated by ASN1C, unmodified, to parse it. They would not be vulnerable if they added explicit checks to constrain the size of the data received from untrusted sources or to identify and discard malformed input data before processing it," Arce said. "Each vendor that uses ASN1C will need to determine this on the source code to their products."
While ASN.1 is often associated with telecommunications protocols, it is also prominent in internet and web protocols, including Simple Network Management Protocol, Simple Object Access Protocol and Common Object Request Broker Architecture. "Any network application or server that used this ASN.1 code generator is vulnerable to a targeted heap smash, which could be used to transmit executable code and have that code executed by the victim," Vixie said.
"A developer could have written their own heap manager or modified the supplied library, and, by my read, apparently not be exposed," Petry said.
As for whether the flaw can be exploited, and how easily, it all depends on the specifics of the software system targeted, Arce said. "What we found is a vulnerability in a component, a building block that may be used by different vendors, in different places and for multiple, different purposes," he said. "We have no knowledge and have not seen any exploits in the wild, but [we] do not monitor those things anyway, so our statement on that matter should [not] be considered conclusive either way."
"There is a sequence of conditions that need to line up in order for a device to be subject to the exploit," Petry said. "How many, I can't say. It really comes down to how common it is for developers to use the included libraries for managing memory allocation."
Detection and mitigation
Arce praised Objective Systems for its cooperation after he reported the flaw early in June. "They've been very diligent in fixing the problem in a timely manner, as can be gleaned from the timeline section of our bulletin," he said.
"Generally speaking, any product built with the pre-existing (pre-CVS) ASN.1 compiler must be presumed to be vulnerable, based on the version number of the compiler alone, and without requiring by-hand disassembly and auditing of the generated code." Vixie said. "There is no easy, one-step way for an application user or service customer to know whether their systems are vulnerable, since the vulnerabilities will have been generated during compilation of unnamed third-party libraries and applications."
The CERT vulnerability notes database entry for the flaw suggested affected developers should audit their code for the presence of the affected libraries, and to begin updating their code with the patched version of the ASN1C compiler. Petry speculated the vendor response will reflect how a vendor views the practical exposure of the flaw. "If you recall Heartbleed," Petry said, "anyone running the affected SSL libraries were, by definition, exposed, which is why the fix was released and adopted so quickly. This may be a less broadly exploitable vulnerability, thus the phased roll out."
Find out more about memory corruption attack techniques.
Read about how ASN.1 figures in network services.
Learn more about why buffer overflows are still important.