Asymmetric denial of service - ReDoS In pyasn1
Description
pyasn1 has a DoS vulnerability in decoder
Summary
After reviewing pyasn1 v0.6.1 a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets.
Details
The integer issue can be found in the decoder as reloid += ((subId << 7) + nextSubId,): https://github.com/pyasn1/pyasn1/blob/main/pyasn1/codec/ber/decoder.py#L496
PoC
For the DoS:
import pyasn1.codec.ber.decoder as decoder import pyasn1.type.univ as univ import sys import resource # Deliberately set memory limit to display PoC try: print("[*] Memory limit set to 100MB")...
Screenshots with the results:
DoS
Leak analysis
A potential heap leak was investigated but came back clean:
[*] Creating 1000KB payload... [*] Decoding with pyasn1... [*] Materializing to string... [+] Decoded 2157784 characters [+] Binary representation: 896001 bytes [+] Dumped to heap_dump.bin 01020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081...
Scenario
An attacker creates a malicious X.509 certificate.
The application validates certificates.
The application accepts the malicious certificate and tries decoding resulting in the issues mentioned above.
Impact
This issue can affect resource consumption and hang systems or stop services. This may affect:
LDAP servers
TLS/SSL endpoints
OCSP responders
etc.
Recommendation
Add a limit to the allowed bytes in the decoder.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pip | pyasn1 | 0.6.2 |
Aliases
References
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.