Remote Code execution in NASA libraries. Weather satellites/radars uses Doppler radar data for processing weather information. These radars are deployed all across the world. NASA’s response was immediate and issues are fixed :) !

Library name: SingleDop

SingleDop is a software module, written in the Python programming language, that will retrieve two-dimensional low-level winds from either real or simulated Doppler radar data.

Turns out radar takes serialized objects to process this data. And it does make sense because the entities/relationships/hierracy are encoded within objects. A malicious entity can carefully craft an object with hidden RCE vector and when the radar processes this data there is remote code execution and sensitive radar systems can be compromised.

Here’s the complete Pull request for this CVE: https://github.com/nasa/SingleDop/commit/752a98b1f62c1ae1d6b1b30f1da6120c050cf644

Github issue: https://github.com/nasa/SingleDop/pull/19

SingleDopScreen Shot 2016-12-01 at 1.43.35 PM.png