Vulnerability in NASA library for Common Data Format
Attackers can exploit a vulnerability in NASA's open licence Data Format (CDF) libraries to inject malicious code. Victims of this attack merely have to open a crafted CDF file. The CDF library is used primarily by universities and government offices.
According to the NASA security bulletin, the library in versions prior to the current 3.2.1 release does not check the length of CDF file tags before copying operations. A buffer overflow can be caused when manipulated files are processed. Code can then be injected and executed in the context of the application linked to the CDF library.
NASA warns against opening any files from untrusted sources with vulnerable versions of the library. Administrators are particularly advised to patch servers that accept files from the internet and process them automatically. Updated CDF library version 3.2.1 and Matlab plug-ins are available for download on the project website.
- Common Data Format (CDF) Version 3.2 and earlier Buffer Overflow Vulnerability, NASA security bulletin
- NASA's Common Data Format buffer overflow, Core Security advisory