Talos is disclosing three remote code execution vulnerabilities in the NASA CFITSIO library. CFITSIO is a library of C and Fortran subroutines for reading and writing data files in the Flexible Image Transport System (FITS) data format. FITS is a standard format endorsed by both NASA and the International Astronomical Union for astronomical data.
Specially crafted images parsed via the library can cause a stack-based buffer overflow, overwriting arbitrary data. An attacker can deliver a malicious FIT image to trigger this vulnerability, and potentially gain the ability to execute code.
Exploitable buffer overflow vulnerabilities exist in the image parsing functionality of the CFITSIO library version 3.42.
The FIT file format stores image metadata in an ASCII header containing keyword-value pairs. The keyword-value pairs provide details such as origin format, comments and history. Several of the functions parsing the keywords are vulnerable to stack-based overflows. The error handling for many functions is incorrectly calculated, and when a crafted keyword-value is given, a stack-based buffer overflow can occur.
This vulnerability arises in multiple areas throughout the code. The keyword-value/comment pairs are incorrectly checked for length in error messaging throughout. The error buffers used are not large enough, and a crafted value comment pair can cause an overflow. Most notably, this function arises in the main header parsing functionality.
The fits_read_keyn function is responsible for parsing out a specific keyname, and returning the value comment pair. As described above, this vulnerability is present in the error handling of this function. By passing in a specially crafted image, an attacker can cause an error message in this function, and the error buffer is not large enough, causing a buffer overflow.
TALOS-2018-0531/CVE-2018-3848 - CVE-2018-3849
The fits_read_btblhdr function is responsible for getting data from a binary table inside a FITS image. This function's main purpose is to parse the header keywords and validate them to ensure they conform to the FITS standard. The fits_read_btblhdr function does not check the input properly on the error messaging, and is vulnerable against buffer overflows.
This vulnerability is similar to the vulnerability discussed above. The fits_read_atblhdr function is responsible for parsing an ASCII table inside a FITS image. It also does not handle errors properly, and is vulnerable to buffer overflows.
The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rule: 45697-45700, 45701-45714