CryptoLib Out-of-Bounds Heap Read Vulnerability in KMC Metadata Parsing

A heap-based out-of-bounds read vulnerability has been identified in CryptoLib versions prior to 1.4.3. The issue arises in the 'cryptography_encrypt()' function, which secures communications between spacecraft and ground stations using the CCSDS Space Data Link Security Protocol. The vulnerability occurs when the function parses JSON metadata from KMC server responses. The improper use of 'strtok' to iterate over the metadata can lead to reading one byte beyond the allocated buffer, especially with short or malformed strings. This flaw can be exploited by a malicious KMC server or a man-in-the-middle attacker, causing a denial-of-service by crashing the application.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application crashes due to the out-of-bounds read, causing potential memory corruption.

Reproduction

The vulnerability can be reproduced by building CryptoLib with AddressSanitizer enabled, which will detect the out-of-bounds read. After compiling the library, a mock KMC server can be set up to respond with crafted JSON metadata that triggers the vulnerability. The 'cryptography_encrypt' function can then be called, which will process the response and cause the out-of-bounds read. This can be done either natively or within a Docker container.

Remediation

Users can upgrade to CryptoLib version 1.4.3 or later, where this vulnerability has been patched.