CVE-2019-1010060 – CVE-2019-1010060 is a buffer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2019-1010060?

CVE-2019-1010060 has a CVSS score of 9.8 (CRITICAL). CVE-2019-1010060 is a buffer overflow vulnerability in NASA CFITSIO library versions prior to 3.43 that allows remote unauthenticated attackers to execute arbitrary code. The vulnerability affects multiple components including the ftp_status function in drvrnet.c which mishandles long strings. Any application or system using vulnerable CFITSIO versions is at risk.

📋 TL;DR

CVE-2019-1010060 is a buffer overflow vulnerability in NASA CFITSIO library versions prior to 3.43 that allows remote unauthenticated attackers to execute arbitrary code. The vulnerability affects multiple components including the ftp_status function in drvrnet.c which mishandles long strings. Any application or system using vulnerable CFITSIO versions is at risk.

💻 Affected Systems

Products:

NASA CFITSIO

Versions: All versions prior to 3.43

Operating Systems: All platforms running CFITSIO

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application using CFITSIO library, particularly those processing FITS files from untrusted sources.

📦 What is this software?

Cfitsio by Nasa

View all CVEs affecting Cfitsio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full system control and executes arbitrary code with the privileges of the CFITSIO process, potentially leading to complete system compromise.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, or installation of malware/backdoors on vulnerable systems.

🟢

If Mitigated

With proper network segmentation and least privilege, impact limited to the CFITSIO process scope and isolated systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Buffer overflow in ftp_status function triggered by long strings beginning with '4' character. Remote unauthenticated exploitation is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.43

Vendor Advisory: https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes2.txt

Restart Required: Yes

Instructions:

1. Download CFITSIO 3.43 from NASA HEASARC FTP. 2. Compile and install following official documentation. 3. Restart any services using CFITSIO. 4. Recompile applications linked against CFITSIO.

🔧 Temporary Workarounds

Network Restriction

linux

Restrict network access to CFITSIO services to trusted sources only

iptables -A INPUT -p tcp --dport [CFITSIO_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [CFITSIO_PORT] -j DROP

Input Validation

all

Implement strict input validation for FITS file processing

🧯 If You Can't Patch

Isolate vulnerable systems in restricted network segments
Implement strict file upload validation and sandboxing for FITS processing

🔍 How to Verify

Check if Vulnerable:

Check CFITSIO version: strings /path/to/libcfitsio.so | grep 'CFITSIO Version' or check package manager

Check Version:

strings /usr/lib/libcfitsio.so | grep 'CFITSIO Version' || dpkg -l | grep cfitsio || rpm -qa | grep cfitsio

Verify Fix Applied:

Verify version is 3.43 or higher: cfitsio --version or check installed package version

📡 Detection & Monitoring

Log Indicators:

Unusual process crashes of CFITSIO applications
Large FITS file processing errors
Network connections to CFITSIO services from unexpected sources

Network Indicators:

Unusual traffic patterns to CFITSIO ports
Large FITS file transfers followed by unexpected outbound connections

SIEM Query:

process_name:"cfitsio" AND (event_type:crash OR error_message:"buffer overflow")

📊 Metadata

CVE ID: CVE-2019-1010060

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: July 16, 2019

Last Updated: November 21, 2024

🔗 References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458 Mailing List,Third Party Advisory
https://github.com/astropy/astropy/pull/7274 Third Party Advisory
https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/cfitsio3420.tar.gz Third Party Advisory,US Government Resource
https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/cfitsio3430.tar.gz Third Party Advisory,US Government Resource
https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes2.txt Third Party Advisory,US Government Resource
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458 Mailing List,Third Party Advisory
https://github.com/astropy/astropy/pull/7274 Third Party Advisory
https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/cfitsio3420.tar.gz Third Party Advisory,US Government Resource
https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/cfitsio3430.tar.gz Third Party Advisory,US Government Resource
https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes2.txt Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1010060, you might also want to check these: