CryptoLib Heap Buffer Overflow Vulnerability in AOS Frame Processing Function Allowing Denial-of-Service and Potential Remote Code Execution

A critical heap buffer overflow vulnerability has been identified in CryptoLib versions through 1.3.3. The issue arises in the 'Crypto_AOS_ProcessSecurity' function, which processes AOS frames as part of the CCSDS Space Data Link Security Protocol - Extended Procedures. The vulnerability allows an attacker to cause a denial-of-service (DoS) condition or potentially execute arbitrary code by sending a maliciously crafted AOS frame with an insufficient length. The flaw occurs because the code reads from the 'p_ingest' buffer without properly validating the length, leading to out-of-bounds memory access and a heap buffer overflow. As of now, no patched versions are available.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the application to crash, and it also allows for remote code execution by manipulating the heap through the buffer overflow.

Reproduction

The vulnerability can be reproduced by calling the 'Crypto_AOS_ProcessSecurity' function with an AOS frame that is 15 bytes long, while setting the 'max_frame_size' parameter to 1786 bytes. This combination triggers an out-of-bounds read, which can be observed using AddressSanitizer, where the error indicates a heap-buffer-overflow due to the improper length validation.