NASA CryptoLib OTAR Status Check Vulnerability Allows Spacecraft Hijacking

A vulnerability in NASA CryptoLib versions prior to 1.3.2 allows for spacecraft hijacking by exploiting the OTAR crypto function's status check. The issue arises from an out-of-bounds read vulnerability that bypasses the Space Data Link Security (SDLS) protocol, enabling unauthorized commands to be sent to a spacecraft's Onboard Computer (OBC). This vulnerability takes advantage of improper management of Security Associations (SAs) and cryptographic keys, potentially leading to unauthorized control of the spacecraft.

Impact

Exploitation of this vulnerability allows an attacker to gain exclusive control of a spacecraft, executing any action while bypassing the SDLS implementation. This could involve manipulating the spacecraft's operations or using the SDLS to block access to the legitimate operator.

Reproduction

The vulnerability can be reproduced by sending a telecommand to the spacecraft using a Security Parameter Index (SPI) that has not been properly validated. This SPI can be chosen to exploit the out-of-bounds read vulnerability, which crashes the CryptoLib application and resets the spacecraft's cryptographic counters. After the crash, the same SPI can be used to send a telecommand that is accepted by the Onboard Computer, effectively hijacking the spacecraft.

Remediation

Users are advised to update to NASA CryptoLib version 1.3.2 or later, where this vulnerability has been addressed.