You can now find Cyber Kendra on Google News!

Critical Flaw puts Mobile Networks at risk of complete takeover

Mobile network hacking, security flaw on mobile and network, critical security flaw, ASN1C Vulnerability, ASN1C critical flaws
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks.

US-CERT warned yesterday that, a large number of software applications created for managing and interconnecting mobile networks around the world may be vulnerable to a remote code execution (RCE) flaw that can allow attackers to take over crucial equipment.

The vulnerability dubbed as CVE-2016-5080 was discovered following a security audit at Objective Systems, a US-based company that ships the ASN1C code compiler. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones.

Objective Systems says that ASN1C compiles ASN.1 code to C and C++ in a way that introduces a vulnerability in all applications. This vulnerability is a heap-based buffer overflow that allows attackers to execute code on the affected systems, from a remote location and without needing to authentication on the device.

What is ASN1C?
ASN.1 (Abstract Syntax Notation One) is an international standard that describes data structures and transfer protocols used in the telecommunications field.

ASN1C is an application created by Objective Systems that takes ASN.1 data structures, operations, and instructions, and converts them to C, C++, C#, or Java code, which can be embedded into applications or software that runs on mobile equipment deployed with classic GSM or more modern LTE networks.

Types of Vendors affected
According to the investigation, researchers says that only ASN1C's ASN.1-to-C and ASN.1-to C++ functions are vulnerable. But further more investigation is going on for ASN.1-to-C# and ASN.1-to-Java compilation routines.

The company has released a quick fix for the issue in the latest 7.0.1.x branch of ASN1C, with a permanent fix scheduled for 7.0.2 in the coming weeks.

Post a Comment