Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1464141

Summary: The _asn1_check_identifier function in GNU Libtasn1 before 4.12(including 4.12) causes a NULL pointer dereference and crash when a NULL value assigned to value member in asn1_node. It will lead to a remote denial of service attack.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: libtasn1Assignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED UPSTREAM QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: carnil, meissner, szidek
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-20 08:20:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
the vulnerability is triggered by ./asn1Parser $FILE none

Description owl337 2017-06-22 13:50:04 UTC 
Created attachment 1290728 [details]
the vulnerability is triggered by ./asn1Parser $FILE

Description of problem:

The _asn1_check_identifier function in GNU Libtasn1 before 4.12(including 4.12) cause a NULL pointer dereference and crash when a NULL value assigned to value member in asn1_node. It will lead to a remote denial of service attack.

Version-Release number of selected component (if applicable):

from 2.0 to 4.12, 37 versions in total 


How reproducible:

./asn1Parser  POC

Steps to Reproduce:

$ gdb ./install/bin/asn1Parser
(gdb) set args POC
(gdb) r
…
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff7bd0b9b in _asn1_str_cat (dest=0x7fffffffe250 "PKIX1Implicit88.", dest_tot_size=130, src=0x0) at gstr.c:34
#2  0x00007ffff7bd1c2d in _asn1_check_identifier (node=0x628c50) at parser_aux.c:972
#3  0x00007ffff7bcb3e7 in asn1_parser2array (
    inputFileName=inputFileName@entry=0x604010 "/home/company/real/POC", 
    outputFileName=outputFileName@entry=0x0, vectorName=vectorName@entry=0x0, error_desc=error_desc@entry=0x7fffffffe380 "o\a@") at ASN1.y:780
#4  0x0000000000400fbb in main (argc=<optimized out>, argv=0x7fffffffe528) at asn1Parser.c:166

Actual results:

denial of service

Expected results:

denial of service

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao  and chaoz.cn if you need more info about the team, the tool or the vulnerability
Comment 2 Nikos Mavrogiannopoulos 2017-06-22 14:22:29 UTC 
Hi,
 Thank you for reporting that. I'd recommend to provide more information when reporting vulnerabilities. What you provide above is insufficient, e.g., how can you exploit the issue you report?

To the specifics, there are two calls to _asn1_check_identifier(), one from ASN1.y which is used for the parsing of developer-provided file and structure.c in asn1_array2tree() where the developer-provided file is converted to an array. Neither of these uses can lead to a vulnerability.
Comment 4 owl337 2017-06-23 04:21:07 UTC 
(In reply to Nikos Mavrogiannopoulos from comment #2)
> Hi,
>  Thank you for reporting that. I'd recommend to provide more information
> when reporting vulnerabilities. What you provide above is insufficient,
> e.g., how can you exploit the issue you report?
> 
> To the specifics, there are two calls to _asn1_check_identifier(), one from
> ASN1.y which is used for the parsing of developer-provided file and
> structure.c in asn1_array2tree() where the developer-provided file is
> converted to an array. Neither of these uses can lead to a vulnerability.

Thanks for your reminding.
There were many other applications on parsing asn1 syntax used asn1_array2tree or asn1_parser2array function. For example, https://github.com/FrUh/BitPunch/blob/master/lib/src/bitpunch/asn1/asn1.c . In addtion, there should be lots of serialization-based applications need asn1 synax self-definetion that exist the risk for suffering the dos attack.
Comment 5 Nikos Mavrogiannopoulos 2017-06-26 07:18:52 UTC 
I still do not see how can this be exploited.
Comment 9 Andrej Nemec 2017-07-20 08:20:41 UTC 
Hi owl337,

Please report these issues to upstream libtasn1 project, if you haven't already done so.

Thanks.