None
A stack overflow vulnerability exists in the GetIndefiniteElementLen functionality of Dell BSAFE Crypto-C xxx. A specially crafted ASN.1 record can lead to denial of service. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Dell BSAFE Crypto-C RSA 6.4
BSAFE Crypto-C - https://www.dell.com/support/product-details/en-us/product/bsafe-crypto-c-micro-edition/docs
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-789 - Uncontrolled Memory Allocation
Dell BSAFE Crypto-C is a software library providing cryptographic functions and services for application developers. It is part of the BSAFE suite of security products, designed to offer robust encryption and data protection capabilities. Crypto-C supports a wide range of cryptographic algorithms, including symmetric and asymmetric encryption, hashing, and digital signatures, ensuring secure data handling and communication.
When parsing elements with indefinite lengths, _A_GetIndefiniteElementLen can call itself with no checks in place to limit recursion.
A malformed input file can cause a stack overflow and in the result Denial of Service.
Vendor information: https://www.dell.com/support/kbdoc/en-us/000205186/bsafe-crypto-c-micro-edition-sdk-end-of-life-announcement
2025-01-24 - Vendor Disclosure
2025-10-08 - Vendor Patch Release
2025-10-16 - Public Release
Jason Crowder