Researchers at GRIMM have discovered multiple vulnerabilities – two of which could lead to remote code execution (RCE) – within the NITRO open source library that the Department of Defense and federal intelligence community use to exchange, store and transmit digital images collected by satellites.
Two of the flaws “looked like they could lead to remote code execution,” said Adam Nichols, principal of the Software Security practice at GRIMM, who explained to SC Media that photos in the library are accompanied by associated data like geo coordinates.
“If an attacker was able to get a maliciously crafted image into any of the systems that use this library – they would need some other information as well – they could take over parts of or even the entire machine or device,” said Nichols.
The remainder of the finds were flaws that could lead to denial of service attacks, he said, “which normally isn’t really critical, but for satellite imagery systems, obviously pretty meaningful.”
GRIMM has been collaborating with the Cybersecurity and Infrastructure Security Agency “to get the word out to all the stakeholders,” said Nichols. “We coordinated with the vendor and they patched two of them on Monday” followed by updates for the rest on Wednesday.
Nichols believes the two Monday patches were made because the vendor was updating code, not because they knew there were security issues. “We reached out to them on Tuesday with the full report with proof of concepts (PoCs) and they acknowledged it right away and they had a release out [for the others] the next day,” he said.
Not only did the organization quickly turn around updates, it went a step further and “incorporated all our PoCs into unit tests,” said Nichols. “So, if there was a regression and the code got changed back, the unit test should catch it automatically and let them know.”
He called the proactive measures “really cool.”