14 DAY TRIAL // A large number of software applications created for managing and interconnecting mobile networks around the world may be vulnerable to a remote code execution (RCE) flaw that can allow attackers to take over crucial equipment, US-CERT warned yesterday.
The vulnerability (CVE-2016-5080) was discovered following a security audit at Objective Systems, a US-based company that ships the ASN1C code compiler, one of the many tools used to create the above-mentioned software applications.
Issue affects only software compiled with ASN1C
ASN.1 (Abstract Syntax Notation One) is an international standard that describes data structures and transfer protocols used in the telecommunications field.
ASN1C is an application created by Objective Systems that takes ASN.1 data structures, operations, and instructions, and converts them to C, C++, C#, or Java code, which can be embedded into applications or software that runs on mobile equipment deployed with classic GSM or more modern LTE networks.
Objective Systems says that ASN1C compiles ASN.1 code to C and C++ in a way that introduces a vulnerability in all applications. This vulnerability is a heap-based buffer overflow that allows attackers to execute code on the affected systems, from a remote location and without needing to authentication on the device.
Not all vendors affected
As of now, Objective Systems says that only ASN1C's ASN.1-to-C and ASN.1-to C++ functions are affected, but it is still investigating its ASN.1-to-C# and ASN.1-to-Java compilation routines.
The company has released a quick fix for the issue in the latest 7.0.1.x branch of ASN1C, with a permanent fix scheduled for 7.0.2 in the coming weeks.
Via US-CERT, the company has also reached out to 34 mobile operators and equipment vendors to inform them of the issue.
Until now, only Qualcomm has confirmed it is affected by the problem while Honeywell and Hewlett-Packard Enterprise have said they're not impacted by it.
UPDATE [July 21, 2016]: A Qualcomm spokesperson has reached out and provided more details on how this vulnerability affects their equipment.
“ The vulnerability is in the ASN1C code that is provided by a third party called Objective Systems. Qualcomm integrated their code into the cellular stack of our products. The vulnerability is an integer overflow that can cause buffer overflow. However due to the ASN.1 PER encoding rule specified in the cellular standards and implemented in our products, we believe the vulnerability is not exploitable. This is because in order to exploit it, an attacker needs to send a large value in a specially crafted network signaling message; but the encoding rule specified in the 3G/4G Standards and in our products does not allow such a large value to get through. However, we are still actively working with the vendor and propagating the patch to the affected products. ”