Vigil@nce - Linux kernel: memory corruption via asn1_find_indefinite_length
July 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory corruption in
asn1_find_indefinite_length() on the Linux kernel, in order to
trigger a denial of service, and possibly to run code.
– Impacted products: Fedora, Linux, openSUSE Leap, RHEL, SUSE Linux
Enterprise Desktop, SLES, Ubuntu.
– Severity: 2/4.
– Creation date: 12/05/2016.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel implements an ASN.1 library in the
lib/asn1_decoder.c file, used for example to decode X.509
certificates.
An ASN.1 field can have an undefined size, and in this case the
asn1_find_indefinite_length() function is called to find the size.
However, the computation is wrong, and then the memory is
corrupted.
An attacker can therefore generate a memory corruption in
asn1_find_indefinite_length() on the Linux kernel, in order to
trigger a denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN