gmrtd, Denial of Service, Unbounded TLV Length (Critical)

Listen to this Post

The vulnerability exists within the `ReadFile()` function of the gmrtd library, which processes BER-TLV encoded data from NFC/APDU sources via a Transceiver interface. In BER-TLV encoding, a Tag-Length-Value (TLV) object’s length can be encoded in short or long form. The flawed implementation did not enforce a maximum bound on the value of the long-form length field. A malicious or non-compliant NFC endpoint could craft a TLV object advertising an extremely large length value (e.g., up to 4 gigabytes). When `ReadFile()` processes this adversarial input, it enters a loop attempting to read the declared amount of data. This causes the library to perform a massive number of read iterations and allocate excessive memory to hold the anticipated payload, leading to severe CPU consumption, memory exhaustion, and indefinite application hangs, resulting in a Denial of Service.
Platform: gmrtd
Version: prior v0.17.2
Vulnerability : Unbounded TLV DoS
Severity: Critical
date: N/A

Prediction: Fixed v0.17.2

What Undercode Say:

Check current gmrtd version
go list -m github.com/ebfe/gmrtd
Simulative code snippet showing unbounded length parsing (conceptual)
func parseTLV(data []byte) {
lengthByte := data[bash]
if lengthByte & 0x80 { // Long-form
numBytes := lengthByte & 0x7F
// Missing bounds check on numBytes here
length = parseMultiByteLength(data[2:2+numBytes]) // Can be huge
}
// Allocate buffer for 'length' -> Potential exhaustion
buffer := make([]byte, length)
}
Post-fix, length is validated against a constant MAX_TLV_LENGTH

How Exploit:

Malicious NFC endpoint transmits BER-TLV data with an excessively large value in the long-form length field (e.g., 0x84FFFFFF). The victim application using gmrtd’s `ReadFile` attempts to process it, triggering resource exhaustion loops.

Protection from this CVE:

Upgrade to v0.17.2. Implement strict input validation for TLV length fields in any custom parsers. Use library-enforced maximum read limits.

Impact:

Application Denial-of-Service. CPU and memory resource exhaustion. Application hang/crash.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top