A vulnerability in a widely used ASN.1 compiler isn't a good thing: it means a bunch of downstream systems – potentially mobile phones and cell towers – will inherit the bug.
And an ASN.1 bug is what the Sadosky Foundation in Argentina has turned up, in Objective Systems' software.
The research group's Lucas Molas says Objective's ASN1C compiler for C/C++ version 7.0.0 (other builds are probably affected) generates code that suffers from heap memory corruption. This could be potentially exploited to run malware on machines and devices that run the vulnerable compiler output or interfere with their operation.
We're in fairly arcane territory here, so Vulture South will beg your patience. ASN.1 (it stands for Abstract Syntax Notation) is a standard, rather than a programming language. Among other things, LDAP, H.323, Kerberos, SS7 and the Simple Network Management Protocol (SNMP) use it to describe their data interchange.
ASN compilers relieve the developer from having to learn the complicated notation themselves, by automating code production: in other words, rather than writing software that handles ASN data, you use a tool like Objective's ASN1C compiler to generate the source code you need to process ASN-encoded information for your application. You then build that machine-written code, and ship it.
That makes a bug in the compiler a serious issue even if, as the Sadosky Foundation's detailed advisory says, it's hard to assess just how big the issue might be right now.
The compiler-generated code that controls your mobile phone's radio – the baseband component – and the network providing your phone signal and connectivity may be buggy as a result of this toolchain weakness. Those bugs, exploitable via data thrown at them over the airwaves, will end up built into critical gear and no one will realize there are security holes present – until now.
“The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network,” the advisory states.
“Due to the fact that the bugs are located in the core runtime support library, it is hard to assess its exploitability in all scenarios but it is safe to assume that it would lead [to] attacker controlled memory corruption.”
Objective has issued an interim release, ASN1C 7.0.1, and says the patch will be incorporated in the upcoming 7.0.2 release.
And, of course, any programmer using the compiler will have to check whether their software inherits the bug from the toolchain, and push out their own patches. Which then have to be included in shipping products. And that's where it'll get messy.
US CERT has published an advisory detailing the known vulnerable systems and software. ®