In association with heise online

06 May 2008, 12:35

Vulnerability in NASA library for Common Data Format

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Attackers can exploit a vulnerability in NASA's open licence Data Format (CDF) libraries to inject malicious code. Victims of this attack merely have to open a crafted CDF file. The CDF library is used primarily by universities and government offices.

According to the NASA security bulletin, the library in versions prior to the current 3.2.1 release does not check the length of CDF file tags before copying operations. A buffer overflow can be caused when manipulated files are processed. Code can then be injected and executed in the context of the application linked to the CDF library.

NASA warns against opening any files from untrusted sources with vulnerable versions of the library. Administrators are particularly advised to patch servers that accept files from the internet and process them automatically. Updated CDF library version 3.2.1 and Matlab plug-ins are available for download on the project website.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit