Dell BSAFE Crypto-C _A_DecodeElement out-of-bounds read vulnerability

Dell BSAFE Crypto-C _A_DecodeElement out-of-bounds read vulnerability
Dell BSAFE Crypto-C RSA 6.4 存在整数下溢漏洞，攻击者通过构造恶意 ASN.1 记录可触发越界读取，导致信息泄露或代码执行风险。CVSSv3 评分为 7.5。 2025-10-15 23:58:55 Author: talosintelligence.com(查看原文) 阅读量:0 收藏

SUMMARY

An integer underflow vulnerability exists in the _A_DecodeElement functionality of Dell BSAFE Crypto-C xxx. A specially crafted ASN.1 record can lead to an out-of-bounds read. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Dell BSAFE Crypto-C RSA 6.4

PRODUCT URLS

BSAFE Crypto-C - https://www.dell.com/support/product-details/en-us/product/bsafe-crypto-c-micro-edition/docs

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

DETAILS

Dell BSAFE Crypto-C is a software library providing cryptographic functions and services for application developers. It is part of the BSAFE suite of security products, designed to offer robust encryption and data protection capabilities. Crypto-C supports a wide range of cryptographic algorithms, including symmetric and asymmetric encryption, hashing, and digital signatures, ensuring secure data handling and communication.

When reading an extended tag, _A_DecodeElement computes the length of sub elements with the expression contents.len = maxLen - indefiniteNonContentsLen visible in line 13, where indefiniteNonContentsLen = 4 + extendedTagLen line 9.
In a malformed file, indefiniteNonContentsLen can be greater than maxLen causing an integer underflow and subsequent read operations to not be clamped properly, which can lead to a read out-of-bounds.

Line 1 	int _A_DecodeElement(ASN_Template *tmplate, unsigned int flags,
Line 2 	  byte *encodedData, unsigned int maxLen, ASN_InputFlush *inputFlush,
Line 3 	  unsigned int *encodingLen, POINTER *handles, char **fieldName)
Line 4 	{
Line 5 	...
Line 6 
Line 7 	  if (*encodingLen == 0)
Line 8 	  {
Line 9 		indefiniteNonContentsLen = 4 + extendedTagLen;
Line 10	  }
Line 11	...
Line 12			if (*encodingLen == 0)
Line 13			  contents.len = maxLen - indefiniteNonContentsLen;

If an attacker is successful, they could use the leaked memory to bypass ASLR and, in combination with other vulnerabilities, gain the ability to execute arbitrary code.

VENDOR RESPONSE

Vendor information: https://www.dell.com/support/kbdoc/en-us/000205186/bsafe-crypto-c-micro-edition-sdk-end-of-life-announcement

TIMELINE

2025-01-24 - Vendor Disclosure
2025-10-08 - Vendor Patch Release
2025-10-16 - Public Release

文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2141
如有侵权请联系:admin#unsafe.sh