CVE-2018-1000654
published 2018-08-20CVE-2018-1000654: GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the…
PriorityP423medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
EPSS
2.01%
78.4th percentile
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libtasn1-6 | < libtasn1-6 4.14-2 (bookworm) | libtasn1-6 4.14-2 (bookworm) |
| gnu | libtasn1 | — | — |
| gnu | libtasn1 | — | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Libtasn1 vulnerability
vendor_ubuntu·2022-03-28
CVE-2018-1000654 Libtasn1 vulnerability
Title: Libtasn1 vulnerability
Summary: Libtasn1 could be made to crash if it opened a specially crafted
file.
It was discovered that Libtasn1 incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
vendor_redhat·2018-08-12·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CWE-20 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
A vulnerability was found in GNU Libtasn1, where a resource management issue can lead to a denial of service, here an attacker could exploit this flaw by persuading a victim to parse a specially crafted file, exhausting all available CPU resources.
Statement: This vulnerability is rated as low severity because it causes a denial of service by exhausting CPU resources, it impacts avai
Debian
CVE-2018-1000654: libtasn1-6 - GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a ...
vendor_debian·2018·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CVE-2018-1000654: libtasn1-6 - GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a ...
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
Scope: local
bookworm: resolved (fixed in 4.14-2)
bullseye: resolved (fixed in 4.14-2)
forky: resolved (fixed in 4.14-2)
sid: resolved (fixed in 4.14-2)
trixie: resolved (fixed in 4.14-2)
GHSA
GHSA-g69v-w5wh-rhwv: GNU Libtasn1-4
ghsa_unreviewed·2022-05-13
CVE-2018-1000654 [HIGH] GHSA-g69v-w5wh-rhwv: GNU Libtasn1-4
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
OSV
CVE-2018-1000654: GNU Libtasn1-4
osv·2018-08-20·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CVE-2018-1000654: GNU Libtasn1-4
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-1000654 mingw-libtasn1: libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [epel-7]
bugzilla·2018-08-24·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CVE-2018-1000654 mingw-libtasn1: libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [epel-7]
CVE-2018-1000654 mingw-libtasn1: libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discuss
Bugzilla
CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [fedora-all]
bugzilla·2018-08-24·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [fedora-all]
CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
bugzilla·2018-08-24·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
The ASN.1 library used in GNUTLS (libtasn1) through versions 4.13 allows for an infinite loop due to an issue in the _asn1_expand_object_id(p_tree) function. An attacker could exploit this via a crafted ASN.1 structure to causing high CPU usage until a resultant out-of-memory error.
Upstream Issue:
https://gitlab.com/gnutls/libtasn1/issues/4
Discussion:
Created libtasn1 tracking bugs for this issue:
Affects: fedora-all [bug 1621973]
Created mingw-libtasn1 tracking bugs for this issue:
Affects: epel-7 [bug 1621975]
Affects: fedora-all [bug 1621974]
---
As nmav@ noted in the upstream ticket, this is an issue affecting the "compile-time" parsing of ASN.1 definitions and not runtime
Bugzilla
CVE-2018-1000654 mingw-libtasn1: libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [fedora-all]
bugzilla·2018-08-24·CVSS 5.5
CVE-2018-1000654 [MEDIUM] CVE-2018-1000654 mingw-libtasn1: libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [fedora-all]
CVE-2018-1000654 mingw-libtasn1: libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Wiz
What Is DevOps Security? Implement, Challenges, Best Practices | Wiz
blogs_wiz·2024-12-02
What Is DevOps Security? Implement, Challenges, Best Practices | Wiz
## What is DevOps security?
DevOps security integrates security practices within the DevOps process from inception through development, deployment, and operations. It breaks down traditional silos between development, operations, and security teams, promoting a culture of security across all phases of the software development lifecycle (SDLC).
- In its early stages, DevOps focused primarily on integrating development and operations teams to improve the software development process.
- Over time, the scope of DevOps expanded to include security (especially when it comes to cloud platforms like AWS, Azure, and Google Cloud), giving rise to the term "DevSecOps."
- This integration marks a significant paradigm shift, emphasizing a comprehensive approach where security measures, championed by
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.htmlhttp://www.securityfocus.com/bid/105151https://gitlab.com/gnutls/libtasn1/issues/4https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3Ehttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.htmlhttp://www.securityfocus.com/bid/105151https://gitlab.com/gnutls/libtasn1/issues/4https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
2018-08-20
Published