[190680] in North American Network Operators' Group
Re: Fwd: [ PRIVACY Forum ] Critical bug threatens to bite mobile
daemon@ATHENA.MIT.EDU (Marcin Cieslak)
Tue Jul 19 20:17:14 2016
X-Original-To: nanog@nanog.org
Date: Wed, 20 Jul 2016 00:16:28 +0000
From: Marcin Cieslak <saper@saper.info>
To: "Jay R. Ashworth" <jra@baylink.com>
In-Reply-To: <1968751399.18964.1468972540060.JavaMail.zimbra@baylink.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, 19 Jul 2016, Jay R. Ashworth wrote:
> Heap overflow bug in either a widely used ASN.1 library from Objective Systems,
> apparently popular with cell-radio industry people. Not sure if this will
> leak over into NANOG land -- but neither are you, and that's most of my point.
>
> DO *you* know if this library is used in your routers? Can you find out?
>
> How easily and quickly?
CERT/CC has published a list of contacted vendors:
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=790839&SearchOrder=4
From the timeline:
https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080#8-report-timeline
it is not clear if all vendors have been contacted.
Wonder how to grep for rtxMemHeapAlloc in the possibly encrypted
baseband module firmware.
Marcin
