CVE-2024-35056

Vulnerability

Overview

CVE-2024-35056 describes multiple SQL injection vulnerabilities discovered in NASA's AIT-Core v2.5.2, a Python-based toolkit used for ground data systems and telemetry handling in space missions. The flaws reside in the query_packets and insert functions within the database interface implementation, specifically in the SQLite3 and InfluxDB backends [1][4]. The source code constructs SQL query strings using unsanitized user-supplied packet identifiers, enabling an attacker to inject arbitrary SQL statements [1][4]. While InfluxDB's limited SQL functionality mitigates exploitation in that backend, the SQLite3 implementation is fully affected [4].

Exploitation

Prerequisites

Exploitation requires that an attacker can control the packet ID parameter passed to these vulnerable database functions. Although the code performs a limited verification that merely checks whether a packet ID exists in the system, this does not prevent SQL injection [1][4]. To fully exploit the vulnerability, an attacker must also be able to modify the tlm.yaml configuration file that defines packet definitions—this increases the exploitation difficulty but does not eliminate the risk [4]. The attack surface is accessible through AIT-Core's telemetry query interface, which may be exposed to internal network users or integrated mission systems [1][4].

Impact

Assessment

Successful exploitation can allow an attacker to execute arbitrary SQL commands on the SQLite database backend, potentially leading to data exfiltration, corruption, or unauthorized access to telemetry, command, and event records [1][4]. Depending on the broader system configuration where AIT-Core is deployed, this injection vector could serve as a stepping stone for more severe attacks, including command injection, lateral movement, or privilege escalation [1][4]. The risk is compounded when AIT-Core operates in mission-critical environments handling sensitive spacecraft data.

Mitigation

Status

As of the publication date, no official patch has been released for CVE-2024-35056. The issue was publicly documented in the AIT-Core GitHub repository as an open security concern [4]. Users are advised to restrict network access to AIT-Core database interfaces and to implement strict input validation for packet identifiers until an official fix becomes available [1][4]. The advisory also notes related code execution vulnerabilities (CVE-2024-35057 through CVE-2024-35061) that compound the overall risk profile of this software version [1].