Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RVD#3346: Data Distribution Service (DDS) Chain of Trust (CoT) violation in Cyclone DDS #3346

Open
vmayoral opened this issue Feb 25, 2023 · 0 comments

Comments

@vmayoral
Copy link
Member

{
    "id": 3346,
    "title": "RVD#3346: Data Distribution Service (DDS) Chain of Trust (CoT) violation in Cyclone DDS",
    "type": "vulnerability",
    "description": "Attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.",
    "cwe": "CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)",
    "cve": "CVE-2023-24011",
    "keywords": [
        "Robot Operating System 2",
        "ROS 2",
        "Data Distribution Service",
        "DDS",
        "Cyclone DDS"
    ],
    "system": "DDS",
    "vendor": "ZettaScale",
    "severity": {
        "rvss-score": 8.2,
        "rvss-vector": "RVSS:1.0/AV:RN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:L/H:U",
        "severity-description": "high",
        "cvss-score": 8.2,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L"
    },
    "links": [
        "https://github.com/ros2/sros2/issues/282",
        "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d",
    ],
    "flaw": {
        "phase": "runtime-operation",
        "specificity": "DDS implementation-specific",
        "architectural-location": "platform code",
        "application": "any DDS Participant or ROS 2 node communicating",
        "subsystem": "cognition:middleware",
        "package": "sros2",
        "languages": "C++",
        "date-detected": "2022-12-13",
        "detected-by": "amrc-benmorrow, Gianluca Caizza, Ruffin White, Victor Mayoral Vilches, Mikael Arguedas",
        "detected-by-method": "runtime detection",
        "date-reported": "2023-02-25",
        "reported-by": "Victor Mayoral Vilches",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/3346",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "A simple PoC is discussed at https://github.com/ros2/sros2/issues/282 and available at https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d.",
        "exploitation-image": "Not available",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "1) Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer's certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer's certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer's certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer's certificates. More details available at discussion at https://github.com/ros2/sros2/issues/282. ",
        "pull-request": "https://github.com/ros2/sros2/issues/282 (issue, not PR)",
        "date-mitigation": ""
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant