pyasn1 Denial-of-Service Vulnerability via Uncontrolled Recursion in ASN.1 Decoding

A denial-of-service vulnerability has been identified in the pyasn1 library, prior to version 0.6.3. The issue arises from uncontrolled recursion when the library decodes ASN.1 data with deeply nested structures. An attacker can exploit this vulnerability by sending a crafted payload that includes thousands of nested SEQUENCE (0x30) or SET (0x31) tags marked with 'Indefinite Length' (0x80) indicators. This manipulation causes the decoder to recursively process the data until the Python interpreter either crashes due to a RecursionError or runs out of memory, leading to an application crash. This vulnerability is separate from a previously addressed integer overflow issue in OID decoding, and the fix for that problem does not resolve the current recursion-related vulnerability.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a RecursionError, or exhausts available memory, causing the host application to crash. In services where the recursion limit is increased, this can result in a server-wide memory exhaustion. Any service that uses pyasn1 to parse untrusted ASN.1 data, such as LDAP, SNMP, Kerberos, or X.509, can be remotely crashed.

Reproduction

The vulnerability can be reproduced by using the pyasn1 decoder to process a payload of indefinite-length SEQUENCE or SET tags, nested to a depth that exceeds the application's recursion limit. This can be done by manually crafting an ASN.1 payload or by using a script that generates such a payload, as demonstrated in the published proof-of-concept.

Remediation

Users can upgrade to pyasn1 version 0.6.3, which addresses this vulnerability by introducing a maximum nesting depth limit in the decoder.