Re: Fwd: [ PRIVACY Forum ] Critical bug threatens to bite mobile phones and networks

[Marcin Cieslak <saper () saper info>]

On Tue, 19 Jul 2016, Jay R. Ashworth wrote:

> Heap overflow bug in either a widely used ASN.1 library from Objective Systems,
> apparently popular with cell-radio industry people.  Not sure if this will 
> leak over into NANOG land -- but neither are you, and that's most of my point.
>
> DO *you* know if this library is used in your routers?  Can you find out?
>
> How easily and quickly?

CERT/CC has published a list of contacted vendors:

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=790839&SearchOrder=4

> From the timeline:

https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080#8-report-timeline

it is not clear if all vendors have been contacted.

Wonder how to grep for rtxMemHeapAlloc in the possibly encrypted
baseband module firmware.


Marcin