Vulnerability in DDS Secure Databus Systems Affecting Multiple Vendors
CVE-2023-24010

8.2HIGH

Key Information:

Vendor: Eprosima
Status: Dds
Vendor: CVE Published:; 9 January 2025

Summary

An attacker can exploit security weaknesses present in the DDS (Data Distribution Service) configuration to gain unauthorized control over secure databus systems. This vulnerability stems from a flawed implementation of the permission document verification process, specifically involving the OpenSSL PKCS7_verify function. By successfully crafting malicious DDS participants or ROS 2 nodes with valid certificates, an attacker can manipulate the system, presenting a significant risk to data integrity and system functionality. This issue affects various DDS vendors who have not adequately secured their implementation against such configuration vulnerabilities.

Affected Version(s)

DDS all versions

References

https://github.com/ros2/sros2/issues/282

https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Jan 20, 2023

Credit

amrc-benmorrow

Gianluca Caizza

Ruffin White

Victor Mayoral Vilches

Mikael Arguedas