NASA Software Subject to Vulnerability |
Written by Rebecca Mints |
Sunday, 04 May 2008 18:00 |
It may be possible for a hacker to inject malicious code into NASA's open license Data Format (CDF) libraries by opening a specially crafted CDF file. Those most susceptible are universities and government offices since they are the primary users of the free software. NASA warns not to use the software to open any files from unknown sources. NASA has released a security bulletin. In it they note that the library in versions before the most recent 3.2.1 does not verify the length of CDF file tags prior to copying operations. This can result in a buffer overflow if carefully crafted files are allowed to be processed. A hacker would then only have to inject code to be executed in the context of the application linked to the CDF library. While NASA strongly recommends not opening files from unknown sources, they also recommend that administrators patch servers that accept and process files from the internet automatically. The project website is hosting an updated CDF library for version 3.2.1 and Matlab plug-ins. REFERENCES:
|