Re: CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or

help-libtasn1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or

From:	Simon Josefsson
Subject:	Re: CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
Date:	Thu, 06 Feb 2025 23:27:04 +0100
User-agent:	Gnus/5.13 (Gnus v5.13)

If you want to back-port patches, the relevant commits ought to be:

https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d

I haven't tried applying these to various older versions.

The issue tracker for this bug is here:

https://gitlab.com/gnutls/libtasn1/-/issues/52

/Simon

Simon Josefsson via Discussion list for GNU Libtasn1
<help-libtasn1@gnu.org> writes:

> All,
>
> Please find below the security advisory that goes with the v4.20.0
> release.
>
> /Simon
>
> ==================================================================
> CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF 
> elements
> ==================================================================
>
> When an input DER data contains a large number of SEQUENCE OF or SET
> OF elements, decoding the data and searching a specific element in it
> take quadratic time to complete. This could be utilized for a remote
> DoS attack by presenting a crafted certificate to the network peer.
>
> Severity: Moderate
> Vulnerable versions : All released version of libtasn1
> Not vulnerable      : libtasn1 4.20.0
>
> Vulnerability information
> =========================
> The issue is twofold: decoding a DER input with sequences and locating
> a specific element in a sequence. Even though a DER sequence is
> conceptually an array, in libtasn1 it is represented as a linked list,
> whose elements are assigned a string name, such as "?1". Therefore a
> simple lookup of an element at a given position is linear O(N) time
> complexity. When decoding a DER sequence, in each step libtasn1 looks
> up the parent node, recorded on the first element, which requires a
> backward linear search, resulting in O(N^2) time complexity.
>
> For details, see the original issue reported at:
> https://gitlab.com/gnutls/libtasn1/-/issues/52
>
> Exploitation
> ============
> By presenting a certificate with a large number of Subject Alternative
> Name or name constraint entries, the adversary can impose Denial of
> Service (DoS) in applications using libtasn1 for certificate parsing
> and verification.
>
> Recommendation
> =========
> To address this vulnerability, please upgrade to libtasn1 4.20.0 or
> later. At the same time, we recommend applications using libtasn1 for
> certificate processing should set a limit of input sequences, such as
> Subject Alternative Name or name constraint entries to reduce attack
> surface.
>
> Workaround
> ==========
> For those who cannot modify the application code, resource control
> mechanisms provided by the operating system, such as cgroups could
> help avoid excessive usage of CPU time.
>
> Credits
> =======
> This vulnerability was found and reported by Bing Shi.
>

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements, Simon Josefsson, 2025/02/06
- Re: CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements, Simon Josefsson <=

Prev by Date: CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
Previous by thread: CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
Index(es):
- Date
- Thread