ASN Security Issues Run Deep, Forrester Warns

Security flaws reveal weaknesses in Microsoft's Abstract Syntax Notation One, a cryptographic and authentication mechanism in use by every Window operating system. The problem is with the compiler, not the applications themselves. It's time for developers to patch and recompile quickly.

Memo to developers: have you recompiled any custom-built applications that use the ASN.1 library? Recent security flaws have highlighted ASN.1 weaknesses, with security experts saying the clock is ticking before automated attacks, able to gain root access to any Windows machine employing an ASN.1 library, start appearing.

In fact, the recent vulnerabilities, trumpeted by the Microsoft announcement, have led to a wake-up call for developers using ASN.1. “Anyone who uses the ASN.1 standard is auditing his code now—thus, users must expect more ASN.1-related patches shortly,” says Forrester Research. By the same token, experts recommend any developers that haven’t audited their ASN.1-using code do so immediately.

Given its wide use and deployment, security experts say to expect more ASN.1 vulnerabilities to appear, and not just in Microsoft products. Forrester says ASN.1 problems first manifested themselves in July 2001 as weaknesses in LDAP implementations. In September 2003, researchers found ASN.1 vulnerabilities in OpenSSL. “The problems aren’t with ASN.1 itself, but with the compilers that developers use to produce applications that send and receive ASN.1-encoded messages,” Forrester reports.

Recent warnings aside, researchers have been finding vulnerabilities in Microsoft’s Abstract Syntax Notation One (ASN.1) since 2001. The most recent example came last month, when Microsoft announced an attacker could exploit an ASN.1 vulnerability to gain root access, and issued a patch.

Despite recent problems, many security managers are unfamiliar with ASN.1, a cryptographic and authentication mechanism in use by every Window operating system, beginning with Windows 98 and including Windows Server 2003. According to security research firm eEye Digital, “ASN is the method through which the syntax of messages to be exchanged between peer applications is defined, independent of local representation.”

Various cryptographic and authentication applications also use ASN.1, such as secure sockets layer (SSL), digital certificates, and Kerberos.

ASN.1, however, actually started in the 1980s as the Xerox Courier Specification. It evolved into X.400, an electronic mail exchange standard now used as an alternative e-mail protocol to SMTP, and later was split into ISO 8824 (ASN.1) and ISO 8825 became Basic Encoding Rules. Last year, researchers found ASN.1 vulnerabilities in x.400 as well as in S/MIME, a protocol most often used to provide e-mail integrity and encryption.

Today, ASN.1 is widely deployed and used in a wide range of applications, according to Forrester. “Network operators use ASN.1 standards to set up cross-network telephone calls, and next-generation air-traffic control systems use ASN.1 standards for air-to-air communication.”

Wide deployment, of course, is a concern when it comes to potential attacks. eEye Digital, which discovered the Microsoft vulnerability, notes any ASN.1-using application could potentially be used to launch an attack.

CERT says exploits of known vulnerabilities have been mitigated by the technical difficulties involved. But for companies that still haven’t patched the ASN.1 vulnerability, time is running out. Sample code that exploits the weakness was posted to security mailing lists February 14. “This [proof-of-concept] merely creates a denial-of-service condition,” notes Forrester. “Merely” is the prelude to more sophisticated, automated attacks, or perhaps worms.

Hence, “patch, don’t panic—but do it quickly,” notes Forrester.


Related Stories:

Microsoft Warns of Critical ASN.1 Vulnerability

eEye Digital Security Uncovers Dangerous Vulnerabilities in Microsoft Windows ASNeEye’s Retina Network Security Scanner detects and remediates ASN vulnerability

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.