GSM and LTE Mobile Networks Around the World Affected by Serious Security Flaw
A large number of software applications created for managing and interconnecting mobile networks around the world may be vulnerable to a remote code execution (RCE) flaw that can allow attackers to take over crucial equipment, US-CERT warned yesterday.
The vulnerability (CVE-2016-5080) was discovered following a security audit at Objective Systems, a US-based company that ships the ASN1C code compiler, one of the many tools used to create the above-mentioned software applications.
Issue affects only software compiled with ASN1C
ASN.1 (Abstract Syntax Notation One) is an international standard that describes data structures and transfer protocols used in the telecommunications field.
ASN1C is an application created by Objective Systems that takes ASN.1 data structures, operations, and instructions, and converts them to C, C++, C#, or Java code, which can be embedded into applications or software that runs on mobile equipment deployed with classic GSM or more modern LTE networks.
Objective Systems says that ASN1C compiles ASN.1 code to C and C++ in a way that introduces a vulnerability in all applications. This vulnerability is a heap-based buffer overflow that allows attackers to execute code on the affected systems, from a remote location and without needing to authentication on the device.
Not all vendors affected
As of now, Objective Systems says that only ASN1C’s ASN.1-to-C and ASN.1-to C++ functions are affected, but it is still investigating its ASN.1-to-C# and ASN.1-to-Java compilation routines.
The company has released a quick fix for the issue in the latest 7.0.1.x branch of ASN1C, with a permanent fix scheduled for 7.0.2 in the coming weeks.
Via US-CERT, the company has also reached out to 34 mobile operators and equipment vendors to inform them of the issue.
Until now, only Qualcomm has confirmed it is affected by the problem while Honeywell and Hewlett-Packard Enterprise have said they’re not impacted by it.