Hello, welcome to the July 20th, 2016 edition of the Sands and Storm Center's Stormcast. My name is Johannes O'Rich, and the I'm recording from Minneapolis, Minnesota.

Today, a vulnerability was made public in a very popular ASN.1 development tool.

The tool ASN 1C is published by objective systems, its commercial software, that will take an

ASN.1 specification and turn it into C code.

The sad part is that the C code that's created by this tool is vulnerable to a heap buffer overflow.

Now, the big deal here is that ASN.1 is the encoding scheme that's essentially behind most important internet protocols.

Think of it like XML but all binary.

For example, SSL uses ASN.1, SNMP uses ASN.1, but also protocols like LTE, for example, do use ASN.1 encoding.

And in particular, the later one, for example, is one protocol featured by objective systems as a possible

target for its ASN1C compiler.

So there is a huge range of systems that may be vulnerable because code used in these systems

was created using this particular tool.

ASN.1 vulnerabilities are certainly nothing new.

A lot of SSL vulnerabilities, for example, are at their core

ASN.1 parsing vulnerabilities.

It is a rather complex format and as a result, not always to parse in particular if you have to do it efficiently, quickly at wire speed, like for example in these LTE systems and in particular if then again minimum hardware is involved. So you have to be really efficient in how you write your

code. Oftentimes, security like basic input validation, is being sacrificed here for efficiency,

and in many cases the standard isn't really specifically pointing out some of the inconsistencies, for example,

in length fields that have to be dealt with by the parser.

As an end user, not really much you can do about this.

Just wait for vendors to come up with patches.

If you are using the objective system, ASNN1C compiler to create your own software,

...