CERT/CC Vulnerability Note VU#790839

Overview

ASN.1 is a standard representation of data for networking and telecommunications applications. Objective System's ASN1C compiler generates C and C++ code that may be vulnerable to heap overflow.

Description

CWE-122: Heap-based Buffer Overflow - CVE-2016-5080

ASN1C is used to generate high-level-language code from ASN.1 syntax. According to the reporter, the generated C and C++ code from ASN1C may be vulnerable to heap overflow in the generated heap manager's rtxMemHeapAlloc function. It is currently unclear if a similar vulnerability exists in other output languages such as Java. and C#.

A remote unauthenticated attacker may be able to exploit the heap overflow to execute arbitrary code on the underlying system, but the availability of this exploit depends on whether the application utilizes the rtxMemHeapAlloc function in an unsafe way. In particular, the application would likely need to process ASN.1 data from untrusted sources to be vulnerable. Developers making use of ASN1C in their products should audit their code to determine if their application is vulnerable. The CVSS score below reflects a worst-case scenario, and may not apply to all instances.

The researcher has more information available in a security advisory.

Impact

The impact may vary depending on how the vulnerable code is used in an application. In worst case, an application that utilizes ASN.1 data from untrusted sources may be exploited by a remote unauthenticated attacker to execute arbitrary code with permissions of the application (typically root/SYSTEM).

Solution

Apply an update

Objective Systems has released a hotfix for the ASN1C 7.0.1.x series to correct this flaw. Customers using the vulnerable features should contact Objective Systems directly to request the hotfix. Customers may also alternately use a different heap manager, or edit the generated code by hand to remove the heap overflow.

ASN1C version 7.0.2 will contain the fix for all customers, but its release date is currently not set.

Vendor Information

The vendors listed below were primarily sourced from Objective Systems' customer list. The CERT/CC has no further evidence that any particular vendor is impacted unless marked Affected; vendors are encouraged to reach out to us to clarify their status.

790839

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Objective Systems Affected

Updated: June 20, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Affected customers should contact Objective Systems to obtain a hotfix for ASN1C version 7.0.1.x.

The vulnerability will be fully corrected when version 7.0.2 is released. Currently there is no estimated release date for version 7.0.2.

Check Point Software Technologies Not Affected

Updated: July 29, 2016

Statement Date: July 28, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett Packard Enterprise Not Affected

Notified: June 20, 2016 Updated: July 01, 2016

Statement Date: June 30, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Honeywell Not Affected

Notified: June 20, 2016 Updated: July 07, 2016

Statement Date: July 07, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies Not Affected

Notified: June 20, 2016 Updated: July 29, 2016

Statement Date: July 28, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks Not Affected

Notified: August 26, 2016 Updated: August 26, 2016

Statement Date: August 26, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QUALCOMM Incorporated Not Affected

Notified: June 20, 2016 Updated: August 22, 2016

Statement Date: July 21, 2016

Status

Not Affected

Vendor Statement

"We have determined that the products designed by Qualcomm Technologies Inc. (QTI) to interface with the Objective Systems ASN.1 module at issue properly implemented size checks. Thus, the integer overflow vulnerability that can further lead to a heap-based buffer overflow is mitigated and we believe is not exploitable through QTI's implementations."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

While Qualcomm uses the vulnerable module in their cellular protocol software, current analysis suggests they are not impacted by this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens Not Affected

Notified: July 19, 2016 Updated: July 20, 2016

Statement Date: July 20, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

BAE Systems Unknown

Notified: July 19, 2016 Updated: July 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

BT Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Booz Allen Hamilton Unknown

Notified: July 19, 2016 Updated: July 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Broadcom Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Deutsche Telekom Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Entrust Unknown

Notified: July 19, 2016 Updated: July 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

General Dynamics Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Harris Corporation Unknown

Notified: July 19, 2016 Updated: July 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Motorola, Inc. Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Panasonic Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Polycom Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SEIKO EPSON Corp. / Epson America Inc. Unknown

Notified: July 19, 2016 Updated: July 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Samsung Mobile Unknown

Notified: July 21, 2016 Updated: July 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TMobile Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Verizon Unknown

Notified: June 20, 2016 Updated: June 20, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vodafone Group, Inc. Unknown

Notified: July 19, 2016 Updated: July 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 37 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	7.1	E:U/RL:TF/RC:C
Environmental	5.4	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Lucas Molas and Ivan Arce of Programa STIC at the Fundación Sadosky for researching and coordinating this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2016-5080
Date Public:	2016-07-18
Date First Published:	2016-07-19
Date Last Updated:	2016-08-26 18:07 UTC
Document Revision:	53

Software Engineering Institute

CERT Coordination Center

Objective Systems ASN1C generates code that contains a heap overflow vulnerability

Vulnerability Note VU#790839

Overview

Description

Impact

Solution

Vendor Information

Objective Systems Affected

Status

Vendor Statement

Vendor Information

Check Point Software Technologies Not Affected

Status

Vendor Statement

Vendor Information

Hewlett Packard Enterprise Not Affected

Status

Vendor Statement

Vendor Information

Honeywell Not Affected

Status

Vendor Statement

Vendor Information

Huawei Technologies Not Affected

Status

Vendor Statement

Vendor Information

Juniper Networks Not Affected

Status

Vendor Statement

Vendor Information

QUALCOMM Incorporated Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Siemens Not Affected

Status

Vendor Statement

Vendor Information

AT&T Unknown

Status

Vendor Statement

Vendor References

Alcatel-Lucent Unknown

Status

Vendor Statement

Vendor References

BAE Systems Unknown

Status

Vendor Statement

Vendor References

BT Unknown

Status

Vendor Statement

Vendor References

Booz Allen Hamilton Unknown

Status

Vendor Statement

Vendor References

Broadcom Unknown

Status

Vendor Statement

Vendor References

Cisco Unknown

Status

Vendor Statement

Vendor References

Deutsche Telekom Unknown

Status

Vendor Statement

Vendor References

Entrust Unknown

Status

Vendor Statement

Vendor References

Ericsson Unknown

Status