gmrtd Library Denial-of-Service Vulnerability via Unbounded TLV Length in ReadFile Function

A denial-of-service vulnerability exists in the gmrtd library, specifically in the ReadFile function, prior to version 0.17.2. The issue arises from the function's acceptance of TLV (Tag-Length-Value) data with lengths up to 4GB, leading to excessive consumption of CPU and memory resources. This unbounded length processing can cause applications to hang and become unresponsive, particularly when reading data from NFC sources. The vulnerability can be exploited by a malicious NFC transceiver that sends dummy bytes in small chunks, creating a scenario where the application becomes overwhelmed and unresponsive. This issue has been addressed in version 0.17.2, which enforces strict limits on TLV lengths and improves the handling of file reads to prevent such resource exhaustion.

Impact

The vulnerability can be exploited to cause excessive CPU usage, memory exhaustion, and application hangs, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using the gmrtd library to read data from an NFC source with a mocked transceiver that simulates sending TLV data with a length of 4GB. This can be done by creating a test that uses the gmrtd library's NFC reading capabilities, while the mock transceiver sends data in small chunks that mimic the behavior of a malicious NFC device. The application will become unresponsive and experience high memory consumption, simulating the denial-of-service condition.

Remediation

Users should upgrade to gmrtd version 0.17.2 or later, which addresses the vulnerability by implementing maximum allowable TLV lengths and improving the management of read operations.