Swift ASN.1 Library Denial-of-Service Vulnerability via Malformed BER/DER Parsing

A denial-of-service vulnerability has been identified in the Swift ASN.1 library, affecting versions prior to 1.3.0. The issue arises when the library parses certain BER/DER constructions, leading to a crash. This crash occurs because the library incorrectly assumes that specific objects can only be in either constructed or primitive forms, triggering a precondition failure when this assumption is violated. Although these constraints are mandatory in DER, the early node parser did not enforce them, allowing for this vulnerability to be exploited. The crash, while not a memory-safety issue, represents a graceful failure in the Swift runtime. This vulnerability can be exploited when parsing BER/DER data from untrusted sources, such as TLS certificates.

Impact

Exploitation of this vulnerability causes a crash in the Swift runtime, creating a denial-of-service condition by interrupting the normal processing of BER/DER data.

Remediation

Users can upgrade to Swift ASN.1 version 1.3.1 to address this vulnerability.