Security Flaw in DDS Systems by Various Vendors
CVE-2023-24011

8.2HIGH

Key Information:

Vendor: Zettascale
Status: Dds
Vendor: CVE Published:; 9 January 2025

Summary

An attacker may exploit a vulnerability in DDS systems by manipulating malicious DDS Participants or ROS 2 Nodes equipped with legitimate certificates. This flaw arises from a non-compliant implementation of permission document verification, particularly through an improper use of the OpenSSL PKCS7_verify function. The result is a compromised secure DDS databus system, granting full control to the attacker. This issue emphasizes the need for rigorous validation measures in the configuration of PKCS#7 certificates to safeguard against unauthorized access.

Affected Version(s)

DDS all versions

References

https://github.com/ros2/sros2/issues/282

https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Jan 20, 2023

Credit

amrc-benmorrow

Gianluca Caizza

Ruffin White

Victor Mayoral Vilches

Mikael Arguedas