NASA cFS Heap-Based Buffer Overflow Vulnerability in CCSDS Packet Header Handler

A heap-based buffer overflow vulnerability has been identified in NASA's Core Flight System (cFS) version 7.0.0. The issue arises in the 'TO_LAB' application within the CCSDS Packet Header Handler component. The vulnerability is triggered when the 'CFE_MSG_GetSize' function reads an inflated length from the CCSDS header and passes it to 'OS_SocketSendTo()' without proper validation. This flaw allows an attacker to send a crafted message that exploits the length discrepancy, causing adjacent heap memory to be read and transmitted over UDP. The vulnerability requires access to the local network for exploitation.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, where excess data is written to the heap memory, potentially allowing for arbitrary code execution or causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, build NASA cFS version 'Draco' with AddressSanitizer enabled. Start cFS with the 'CI_LAB' and 'TO_LAB' applications. Then, send a UDP packet to 'CI_LAB' that includes a valid CCSDS header with an inflated length field. 'TO_LAB' will read the excessive length, causing it to transmit adjacent heap memory over UDP. AddressSanitizer will flag this as a 'heap-buffer-overflow READ' error, confirming the vulnerability.