NASA ION-DTN BPv7 Uncontrolled Memory Allocation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in NASA's Interplanetary Overlay Network (ION) implementation of Delay/Disruption Tolerant Networking (DTN) in version 4.1.3s. The issue arises when a BPv7 bundle contains a malformed extension block, causing uncontrolled memory allocation. This excessive allocation leads to the termination of the receiver thread, disrupting normal operations. The vulnerability is triggered by processing the fifth element of a CBOR array in the extension block, which, when handled incorrectly, generates an unrealistic block size that cannot be allocated, causing a failure in memory management. As a result, the node stops accepting bundles, effectively creating a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the ION BPv7 receiver thread to terminate, leading to a denial-of-service condition where the node stops accepting incoming bundles. This disruption can be remotely triggered by an attacker.

Reproduction

The vulnerability can be reproduced by sending a BPv7 bundle that includes a malformed extension block to an ION-DTN 4.1.3s node. The problematic bundle should be crafted to include a byte string in the extension block that exceeds normal length expectations. Once the bundle is received, the ION node will attempt to process the extension block, leading to an allocation error. This error can be observed in the 'ion.log' file, where the node reports a failure to allocate memory due to an illegal block size, causing the 'udpcli' receiver thread to end prematurely.