CryptoLib Heap Buffer Overflow Vulnerability in CCSDS Space Data Link Security Protocol

A heap buffer overflow vulnerability has been identified in CryptoLib versions through 1.3.3. The issue arises in the Crypto_TC_ApplySecurity function, where an incomplete validation of the frame length allows attackers to craft malicious frames. This exploitation causes a negative payload length, interpreted as a large unsigned value, leading to a buffer overflow during memory copying operations.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can corrupt memory and potentially allow for remote code execution under certain conditions.

Reproduction

The vulnerability can be reproduced by sending a crafted frame with a specific length that triggers the buffer overflow. This can be done by using the Crypto_TC_ApplySecurity function with a frame length that, after the applied calculations, results in a negative value being interpreted as a large unsigned number. The buffer overflow can be verified by using AddressSanitizer, which will report the heap-buffer-overflow error.

Remediation

Users are advised to update to version 1.4.0, where this vulnerability has been addressed.