Talos Vulnerability Report

TALOS-2025-2141

Dell BSAFE Crypto-C _A_DecodeElement out-of-bounds read vulnerability

October 16, 2025

CVE Number

CVE-2019-3728

SUMMARY

An integer underflow vulnerability exists in the _A_DecodeElement functionality of Dell BSAFE Crypto-C xxx. A specially crafted ASN.1 record can lead to an out-of-bounds read. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Dell BSAFE Crypto-C RSA 6.4

PRODUCT URLS

BSAFE Crypto-C - https://www.dell.com/support/product-details/en-us/product/bsafe-crypto-c-micro-edition/docs

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

DETAILS

Dell BSAFE Crypto-C is a software library providing cryptographic functions and services for application developers. It is part of the BSAFE suite of security products, designed to offer robust encryption and data protection capabilities. Crypto-C supports a wide range of cryptographic algorithms, including symmetric and asymmetric encryption, hashing, and digital signatures, ensuring secure data handling and communication.

When reading an extended tag, _A_DecodeElement computes the length of sub elements with the expression contents.len = maxLen - indefiniteNonContentsLen visible in line 13, where indefiniteNonContentsLen = 4 + extendedTagLen line 9.
In a malformed file, indefiniteNonContentsLen can be greater than maxLen causing an integer underflow and subsequent read operations to not be clamped properly, which can lead to a read out-of-bounds.

Line 1 	int _A_DecodeElement(ASN_Template *tmplate, unsigned int flags,
Line 2 	  byte *encodedData, unsigned int maxLen, ASN_InputFlush *inputFlush,
Line 3 	  unsigned int *encodingLen, POINTER *handles, char **fieldName)
Line 4 	{
Line 5 	...
Line 6 
Line 7 	  if (*encodingLen == 0)
Line 8 	  {
Line 9 		indefiniteNonContentsLen = 4 + extendedTagLen;
Line 10	  }
Line 11	...
Line 12			if (*encodingLen == 0)
Line 13			  contents.len = maxLen - indefiniteNonContentsLen;

If an attacker is successful, they could use the leaked memory to bypass ASLR and, in combination with other vulnerabilities, gain the ability to execute arbitrary code.

VENDOR RESPONSE

Vendor information: https://www.dell.com/support/kbdoc/en-us/000205186/bsafe-crypto-c-micro-edition-sdk-end-of-life-announcement

TIMELINE

2025-01-24 - Vendor Disclosure
2025-10-08 - Vendor Patch Release
2025-10-16 - Public Release

Credit

Jason Crowder

TALOS-2025-2140

TALOS-2025-2142

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company