Ars Technica has reported on the discovery of a vulnerability in the software library of ASN.1, a widely-used standard for encoding telecom network data. The vulnerability allows hackers to execute their own malicious code on routers, switches and radio towers.
The weakness was identified by researchers from the Fundación Sadosky and is described in an advisory posted to GitHub on July 18th. They found a bug in an ASN.1 compiler for C and C++ supplied by Objective Systems Inc., an American business. The bug allows…
…an attacker to remotely execute code in software systems, including embeded software and firmware… The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.
Objective Systems have created a patch, which is available to their customers upon request. However, operators will find it a burden to install the patches on all the affected hardware, not least because the affected equipment will be widely distributed. In the interim, hackers have a standing target to attack, and the only comfort is that the vulnerability is relatively difficult to exploit.