CVE-2025-30356

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. In 1.3.3 and earlier, a heap buffer overflow vulnerability persists in the Crypto_TC_ApplySecurity function due to an incomplete validation check on the fl (frame length) field. Although CVE-2025-29912 addressed an underflow issue involving fl, the patch fails to fully prevent unsafe calculations. As a result, an attacker can still craft malicious frames that cause a negative tf_payload_len, which is then interpreted as a large unsigned value, leading to a heap buffer overflow in a memcpy call.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nasa/CryptoLib/commit/59d1bce7608c94c6131ef4877535075b0649799c	Patch
https://github.com/nasa/CryptoLib/security/advisories/GHSA-6w2x-w7w3-85w2	Exploit Vendor Advisory
https://github.com/nasa/CryptoLib/security/advisories/GHSA-6w2x-w7w3-85w2	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-01 22:15

Updated : 2025-04-29 14:20

NVD link : CVE-2025-30356

Mitre link : CVE-2025-30356

CVE.ORG link : CVE-2025-30356

JSON object : View

Products Affected

nasa

cryptolib

CWE

CWE-191

Integer Underflow (Wrap or Wraparound)

CWE-787

Out-of-bounds Write

{"id": "CVE-2025-30356", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-01T22:15:21.297", "references": [{"url": "https://github.com/nasa/CryptoLib/commit/59d1bce7608c94c6131ef4877535075b0649799c", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-6w2x-w7w3-85w2", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/nasa/CryptoLib/security/advisories/GHSA-6w2x-w7w3-85w2", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-787"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. In 1.3.3 and earlier, a heap buffer overflow vulnerability persists in the Crypto_TC_ApplySecurity function due to an incomplete validation check on the fl (frame length) field. Although CVE-2025-29912 addressed an underflow issue involving fl, the patch fails to fully prevent unsafe calculations. As a result, an attacker can still craft malicious frames that cause a negative tf_payload_len, which is then interpreted as a large unsigned value, leading to a heap buffer overflow in a memcpy call."}, {"lang": "es", "value": "CryptoLib ofrece una soluci\u00f3n exclusivamente de software que utiliza el Protocolo de Seguridad de Enlace de Datos Espaciales CCSDS - Procedimientos Extendidos (SDLS-EP) para proteger las comunicaciones entre una nave espacial que ejecuta el Sistema de Vuelo (cFS) y una estaci\u00f3n terrestre. En la versi\u00f3n 1.3.3 y anteriores, persiste una vulnerabilidad de desbordamiento del b\u00fafer de pila en la funci\u00f3n Crypto_TC_ApplySecurity debido a una comprobaci\u00f3n de validaci\u00f3n incompleta en el campo fl (longitud de la trama). Aunque CVE-2025-29912 solucion\u00f3 un problema de desbordamiento por debajo de la capacidad de fl, el parche no previene completamente los c\u00e1lculos inseguros. Como resultado, un atacante a\u00fan puede manipular tramas maliciosas que provoquen un valor negativo en tf_payload_len, que se interpreta como un valor grande sin signo, lo que provoca un desbordamiento del b\u00fafer de pila en una llamada a memcpy."}], "lastModified": "2025-04-29T14:20:48.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C930C9B-8C81-459A-AB6D-5F6D85290E1C", "versionEndExcluding": "1.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}