Threat Center Security News NASA Software Subject to Vulnerability
NASA Software Subject to Vulnerability Print E-mail
Written by Rebecca Mints   
Sunday, 04 May 2008 18:00

It may be possible for a hacker to inject malicious code into NASA's open license Data Format (CDF) libraries by opening a specially crafted CDF file. Those most susceptible are universities and government offices since they are the primary users of the free software. NASA warns not to use the software to open any files from unknown sources.


NASA has released a security bulletin. In it they note that the library in versions before the most recent 3.2.1 does not verify the length of CDF file tags prior to copying operations. This can result in a buffer overflow if carefully crafted files are allowed to be processed. A hacker would then only have to inject code to be executed in the context of the application linked to the CDF library.


While NASA strongly recommends not opening files from unknown sources, they also recommend that administrators patch servers that accept and process files from the internet automatically. The project website is hosting an updated CDF library for version 3.2.1 and Matlab plug-ins.



REFERENCES:
heise online
Vulnerability in NASA library for Common Data Format

 

WTW Threat Level