Serg Nvns - Fotolia
In this Risk & Repeat podcast, SearchSecurity editors discuss the newly disclosed ASN.1 compiler flaw and its implications for mobile communications and network carriers.
Mobile devices and their underlying telecom networks could be at risk of devastating attacks, thanks to a newly discovered flaw in an ASN.1 compiler.
The vulnerability, was discovered in a code library used for programming with the Abstract Syntax Notation One, or ASN.1, telephony standard. The library is part of an ASN.1 compiler used by many telecom firms and mobile carriers. Security researcher Iván Arce, who discovered the flaw in the widely used ASN.1 compiler, explained that the vulnerability could enable heap memory corruption attacks, which would allow threat actors to eavesdrop on communications and even perform remote code execution.
"The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," Arce wrote in his vulnerability report. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."
Objective Systems, which sells the ASN.1 compiler ASN1C, has released a patch for the critical flaw, which was given a 9.3 CVSS score by CERT. CERT currently lists companies that may have been affected by the vulnerability because they use the compiler. So far, Check Point, Hewlett Packard Enterprise, Honeywell, Huawei Technologies, Qualcomm and Siemens have been determined to be unaffected by the ASN.1 compiler flaw -- but nearly 30 other technology firms may still be vulnerable.
How serious is this flaw? Why is it so hard to detect? And what are the chances that an advanced persistent threat group or nation-state attackers have already discovered and potentially exploited it? In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and other issues related to the ASN.1 compiler vulnerability.
Risk & Repeat: Analyzing the httpoxy vulnerability
Risk & Repeat: Catching Pokémon GO security issues
Risk & Repeat: Breaking down the Clinton email server probe