ASN.1 Flaw Threatens Mobile Networks

UPDATED–Researchers have identified a serious flaw that could allow an attacker to compromise a number of different devices and networks, including telecommunications networks and mobile phones, as well as a number of other embedded devices.

The vulnerability is in a specific compiler that’s used for software in several programming languages in a number of industries, including aviation, telecom, defense, and networking. The compiler, sold by Objective Systems, is for the ASN.1 standard, and one of the code libraries in the compiler contains a heap overflow vulnerability that could allow a high-level attacker to execute arbitrary code remotely on vulnerable systems. Discovered by researcher Lucas Molas, the vulnerability could affect products from a wide range of vendors who use the compiler. Right now, only products from Qualcomm are known to be affected.

“A vulnerability found in the runtime support libraries of the ASN1C compiler for C/C++ from Objective Systems Inc. could allow an attacker to remotely execute code in software systems, including embeded software and firmware, that use code generated by the ASN1C compiler,” the advisory from Molas says.

“The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.”

Objective Systems has released a new version of the ASN1C compiler for C and C++ that includes a patch for the vulnerability, but that may not completely fix the issue. The company pushed out a hot fix for the ASN1C 7.0.1.x series of the compiler, but there is no release date set for the 7.0.2 version, which will contain the full fix. Although the vulnerability is considered quite serious, Molas said in the advisory that it’s not clear how easy it would be for an attacker to exploit it.

“An exploit would be highly dependent and custom-built for the actual target.”

“Due to the fact that the bugs are located in the core runtime support library, it is hard to assess its exploitability in all scenarios but it is safe to assume that it would lead attacker controlled memory corruption of either the system’s heap (ifmalloc is called) or in the internal memory allocator (if the number of bytes requested is below the aforementioned threshold),” Molas said.

Iván Arce, who leads the research team at Programa STIC of Fundación Sadosky in Argentina, of which Molas is a member, said that any exploitation of the vulnerability would need to be specific to a given target.

“In practice, aka the real world, an exploit would be highly dependent and custom-built for the actual target. Target here should be understood as an specific device brand, model and vulnerable software version. I use ‘software’ a generic term that includes embedded software, firmware, baseband, etc.,” Arce said by email.

“The reason for this is that the bug is in a support library used by the automatically generated code and incorporated as a component into a product’s source tree by a given vendor. The way each vendor chooses to do that and build the resulting software, the hardware on which that will run and the specifics about the (ASN.1 based) protocol that the ASN1C-generated code parses would determine exploitability.”

ASN.1 is one of the foundational standards in many networks, including telecom networks and is used in a variety of places. Arce said a skilled attacker might be able to compromise a mobile device over the air through the use of a fake base station, or compromise a base station with a mobile device, or compromise telecom network equipment with this vulnerability.

“The scenarios are not limited to telco stuff but we do not know how ASN1C is being used in other areas,” Arce said.

Objective Systems has a broad customer list, which includes tech giants such as Cisco and Qualcomm, as well as a number of federal agencies, such as the Federal Aviation Administration and the FBI.

A Qualcomm spokesman said the company is working on a fix, although it doesn’t believe the bug is exploitable.

“The vulnerability is an integer overflow that can cause buffer overflow. However due to the ASN.1 PER encoding rule specified in the cellular standards and implemented in our products, we believe the vulnerability is not exploitable. This is because in order to exploit it, an attacker needs to send a large value in a specially crafted network signaling message; but the encoding rule specified in the 3G/4G Standards and in our products does not allow such a large value to get through,” the spokesman said.

This story was updated on July 25 to add comments from Qualcomm.