#VU10323 Resource exhaustion in libtASN1 - CVE-2018-6003

Cybersecurity Help s.r.o.

Published: 2018-01-29

Vulnerability identifier: #VU10323

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-6003

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libtASN1
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1. A remote attacker can trigger unlimited recursion in the BER decoder and stack exhaustion to cause the service to crash.

Mitigation
Update to version 4.13 or later.

Vulnerable software versions

libtASN1: 4.0 - 4.12

External links
https://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Resource exhaustion in libtasn1 (Alpine package)

Debian update for libtasn1-6

Ubuntu update for Libtasn1

Fedora 27 update for mingw-libtasn1

Fedora 26 update for libtasn1

Fedora 27 update for libtasn1