NASA cFS Deserialization Vulnerability in Ground System Allowing Arbitrary Code Execution
Vulnerability
A deserialization vulnerability has been identified in NASA's Core Flight System (cFS) version 7.0.0. The issue arises from the use of Python's pickle module to load command and parameter definition files without proper integrity verification. This flaw allows for arbitrary code execution, as the pickle module can execute code during deserialization via the __reduce__ protocol. An attacker who can modify any .pickle file in the 'CommandFiles' or 'ParameterFiles' directories can execute arbitrary OS commands when the corresponding file is loaded in the cFS Ground System GUI.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the system where the cFS Ground System is running.
Reproduction
To reproduce this vulnerability, craft a malicious pickle file that uses the __reduce__ protocol to execute a command via os.system(). Place this file in the 'CommandFiles' directory of the cFS Ground System. When the Ground System GUI is launched and the command page corresponding to the loaded pickle file is accessed, the embedded command will execute as the operator.
Remediation
No known mitigation is available.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.