Fwd: [ PRIVACY Forum ] Critical bug threatens to bite mobile phones and networks
Heap overflow bug in either a widely used ASN.1 library from Objective Systems, apparently popular with cell-radio industry people. Not sure if this will leak over into NANOG land -- but neither are you, and that's most of my point. DO *you* know if this library is used in your routers? Can you find out? How easily and quickly? Cheers, -- jra ----- Forwarded Message -----
From: "PRIVACY Forum mailing list" <privacy@vortex.com> To: privacy-list@vortex.com Sent: Tuesday, July 19, 2016 7:12:47 PM Subject: [ PRIVACY Forum ] Critical bug threatens to bite mobile phones and networks
Critical bug threatens to bite mobile phones and networks
http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and...
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
- - -
--Lauren-- Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren Founder: - Network Neutrality Squad: http://www.nnsquad.org - PRIVACY Forum: http://www.vortex.com/privacy-info Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info Member: ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com Google+: http://google.com/+LaurenWeinstein Twitter: http://twitter.com/laurenweinstein Tel: +1 (818) 225-2800 / Skype: vortex.com I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone. _______________________________________________ privacy mailing list http://lists.vortex.com/mailman/listinfo/privacy
-- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
On 07/19/2016 04:55 PM, Jay R. Ashworth wrote:
Heap overflow bug in either a widely used ASN.1 library from Objective Systems, apparently popular with cell-radio industry people. Not sure if this will leak over into NANOG land -- but neither are you, and that's most of my point.
DO *you* know if this library is used in your routers? Can you find out?
How easily and quickly?
Friends don't let friends use asn.1 Mike
On Tue, 19 Jul 2016, Jay R. Ashworth wrote:
Heap overflow bug in either a widely used ASN.1 library from Objective Systems, apparently popular with cell-radio industry people. Not sure if this will leak over into NANOG land -- but neither are you, and that's most of my point.
DO *you* know if this library is used in your routers? Can you find out?
How easily and quickly?
CERT/CC has published a list of contacted vendors: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=790839&SearchOrder=4
From the timeline:
https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-... it is not clear if all vendors have been contacted. Wonder how to grep for rtxMemHeapAlloc in the possibly encrypted baseband module firmware. Marcin
participants (3)
-
Jay R. Ashworth
-
Marcin Cieslak
-
Michael Thomas