CryptoLib Stack-Based Buffer Overflow Vulnerability in Crypto_Key_Update Function

A stack-based buffer overflow vulnerability has been identified in CryptoLib versions prior to 1.4.2. The issue arises from a missing bounds check in the Crypto_Key_update() function within crypto_key_mgmt.c. This vulnerability allows remote attackers to exploit the Extended Procedures of the CCSDS Space Data Link Security Protocol by sending a TLV packet with a manipulated length field. The function improperly calculates the number of keys based on the spoofed length, potentially exceeding the size of a static array, leading to out-of-bounds writes and memory corruption.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which is likely to crash the process. However, it also has the potential to allow arbitrary code execution by overwriting return addresses or control data, depending on the stack layout.

Reproduction

The vulnerability can be reproduced by sending a TLV packet with a spoofed length field that exceeds the size of the static array used in the Crypto_Key_update() function. This can be done by manipulating the length field in the packet to create an overflow condition, which can be verified using tools like AddressSanitizer.

Remediation

Users are advised to update CryptoLib to version 1.4.2, where this vulnerability has been patched.