search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Objective Systems ASN1C generates code that contains a heap overflow vulnerability

Vulnerability Note VU#790839

Original Release Date: 2016-07-19 | Last Revised: 2016-08-26

Overview

ASN.1 is a standard representation of data for networking and telecommunications applications. Objective System's ASN1C compiler generates C and C++ code that may be vulnerable to heap overflow.

Description

CWE-122: Heap-based Buffer Overflow - CVE-2016-5080

ASN1C is used to generate high-level-language code from ASN.1 syntax. According to the reporter, the generated C and C++ code from ASN1C may be vulnerable to heap overflow in the generated heap manager's rtxMemHeapAlloc function. It is currently unclear if a similar vulnerability exists in other output languages such as Java. and C#.

A remote unauthenticated attacker may be able to exploit the heap overflow to execute arbitrary code on the underlying system, but the availability of this exploit depends on whether the application utilizes the rtxMemHeapAlloc function in an unsafe way. In particular, the application would likely need to process ASN.1 data from untrusted sources to be vulnerable. Developers making use of ASN1C in their products should audit their code to determine if their application is vulnerable. The CVSS score below reflects a worst-case scenario, and may not apply to all instances.

The researcher has more information available in a security advisory.

Impact

The impact may vary depending on how the vulnerable code is used in an application. In worst case, an application that utilizes ASN.1 data from untrusted sources may be exploited by a remote unauthenticated attacker to execute arbitrary code with permissions of the application (typically root/SYSTEM).

Solution

Apply an update

Objective Systems has released a hotfix for the ASN1C 7.0.1.x series to correct this flaw. Customers using the vulnerable features should contact Objective Systems directly to request the hotfix. Customers may also alternately use a different heap manager, or edit the generated code by hand to remove the heap overflow.

ASN1C version 7.0.2 will contain the fix for all customers, but its release date is currently not set.

Vendor Information

The vendors listed below were primarily sourced from Objective Systems' customer list. The CERT/CC has no further evidence that any particular vendor is impacted unless marked Affected; vendors are encouraged to reach out to us to clarify their status.

790839
 
Affected   Unknown   Unaffected

Objective Systems

Updated:  June 20, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Affected customers should contact Objective Systems to obtain a hotfix for ASN1C version 7.0.1.x.

The vulnerability will be fully corrected when version 7.0.2 is released. Currently there is no estimated release date for version 7.0.2.

Check Point Software Technologies

Updated:  July 29, 2016

Statement Date:   July 28, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  June 20, 2016 Updated:  July 01, 2016

Statement Date:   June 30, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Honeywell

Notified:  June 20, 2016 Updated:  July 07, 2016

Statement Date:   July 07, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies

Notified:  June 20, 2016 Updated:  July 29, 2016

Statement Date:   July 28, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks

Notified:  August 26, 2016 Updated:  August 26, 2016

Statement Date:   August 26, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QUALCOMM Incorporated

Notified:  June 20, 2016 Updated:  August 22, 2016

Statement Date:   July 21, 2016

Status

  Not Affected

Vendor Statement

"We have determined that the products designed by Qualcomm Technologies Inc. (QTI) to interface with the Objective Systems ASN.1 module at issue properly implemented size checks. Thus, the integer overflow vulnerability that can further lead to a heap-based buffer overflow is mitigated and we believe is not exploitable through QTI's implementations."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

While Qualcomm uses the vulnerable module in their cellular protocol software, current analysis suggests they are not impacted by this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens

Notified:  July 19, 2016 Updated:  July 20, 2016

Statement Date:   July 20, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T

Notified:  June 20, 2016 Updated:  June 20, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Alcatel-Lucent

    Notified:  June 20, 2016 Updated:  June 20, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      BAE Systems

      Notified:  July 19, 2016 Updated:  July 19, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        BT

        Notified:  June 20, 2016 Updated:  June 20, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Booz Allen Hamilton

          Notified:  July 19, 2016 Updated:  July 19, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Broadcom

            Notified:  June 20, 2016 Updated:  June 20, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Cisco

              Notified:  June 20, 2016 Updated:  June 20, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Deutsche Telekom

                Notified:  June 20, 2016 Updated:  June 20, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Entrust

                  Notified:  July 19, 2016 Updated:  July 19, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Ericsson

                    Notified:  June 20, 2016 Updated:  June 20, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      General Dynamics

                      Notified:  June 20, 2016 Updated:  June 20, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Google

                        Notified:  June 20, 2016 Updated:  June 20, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Harris Corporation

                          Notified:  July 19, 2016 Updated:  July 19, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Hitachi

                            Notified:  June 20, 2016 Updated:  June 20, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              IBM Corporation

                              Notified:  June 20, 2016 Updated:  June 20, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Intel Corporation

                                Notified:  June 20, 2016 Updated:  June 20, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Microsoft Corporation

                                  Notified:  June 20, 2016 Updated:  June 20, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Motorola, Inc.

                                    Notified:  June 20, 2016 Updated:  June 20, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      NEC Corporation

                                      Notified:  June 20, 2016 Updated:  June 20, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Nokia

                                        Notified:  June 20, 2016 Updated:  June 20, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Panasonic

                                          Notified:  June 20, 2016 Updated:  June 20, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Polycom

                                            Notified:  June 20, 2016 Updated:  June 20, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              SEIKO EPSON Corp. / Epson America Inc.

                                              Notified:  July 19, 2016 Updated:  July 19, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Samsung Mobile

                                                Notified:  July 21, 2016 Updated:  July 21, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor Information

                                                We are not aware of further vendor information regarding this vulnerability.

                                                Sony Corporation

                                                Notified:  June 20, 2016 Updated:  June 20, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  TMobile

                                                  Notified:  June 20, 2016 Updated:  June 20, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Unisys

                                                    Notified:  June 20, 2016 Updated:  June 20, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Verizon

                                                      Notified:  June 20, 2016 Updated:  June 20, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Vodafone Group, Inc.

                                                        Notified:  July 19, 2016 Updated:  July 19, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          View all 37 vendors View less vendors


                                                          CVSS Metrics

                                                          Group Score Vector
                                                          Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
                                                          Temporal 7.1 E:U/RL:TF/RC:C
                                                          Environmental 5.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                          References

                                                          Acknowledgements

                                                          Thanks to Lucas Molas and Ivan Arce of Programa STIC at the Fundación Sadosky for researching and coordinating this vulnerability.

                                                          This document was written by Garret Wassermann.

                                                          Other Information

                                                          CVE IDs: CVE-2016-5080
                                                          Date Public: 2016-07-18
                                                          Date First Published: 2016-07-19
                                                          Date Last Updated: 2016-08-26 18:07 UTC
                                                          Document Revision: 52

                                                          Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.