CVE-2024-35057

Vulnerability

Overview

CVE-2024-35057 describes a local code execution vulnerability in NASA's AIT-Core version 2.5.2. The root cause is the insecure use of Python's built-in eval() function within two key components: the API wait() function in ait/core/api.py and the telemetry (TLM) packet expression handler in ait/core/tlm.py [1][4]. By design, AIT-Core allows users to supply Python expressions in certain configuration areas, but the code evaluates these expressions directly with eval() without proper sanitization or sandboxing, enabling an attacker to execute arbitrary Python commands [4].

Exploitation

An attacker who can influence or modify the input strings processed by these vulnerable functions can trigger code execution. For the API wait() function, a malicious Python string, lambda, or function can be passed as the condition argument, and the application will evaluate it with eval() [4]. In the TLM packet expression feature, the attacker needs to alter a packet definition file to include a malicious expression; this expression is then evaluated every time the corresponding telemetry attribute is accessed [4]. While the official description and references indicate this is a "local" code execution, the attack surface extends to scenarios where an adversary can inject crafted data — for example, through a man-in-the-middle (MitM) position to modify packet definitions in transit, as noted in the broader advisory covering related CVEs [1]. No authentication is strictly required if the attacker can deliver a crafted packet or modify configuration files.

Impact

Successful exploitation yields arbitrary code execution within the context of the AIT-Core application. This allows an attacker to execute system commands, install backdoors, exfiltrate sensitive telemetry data, or disrupt mission-critical ground data system operations [1][4]. Because AIT-Core is used for commanding and telemetry handling in NASA instrument and CubeSat missions, a compromise could have severe operational consequences, potentially affecting the integrity of command sequences or telemetry uplink/downlink processes.

Mitigation

Status

As of the publication date, users are advised to update to a patched version of AIT-Core. The issue was reported publicly through GitHub advisories and the NVD listing [3][4]. The vendor (NASA-AMMOS) has not yet released a fixed version according to the referenced material, so temporary mitigations include avoiding use of the eval()-based wait function with untrusted input and carefully controlling access to packet definition files. The CVE is part of a cluster of vulnerabilities in AIT-Core 2.5.2, including SQL injection and additional code execution paths via pickle and yaml [1].