Security Flaw in DDS Data Bus Affecting ROS 2 Nodes

CVE-2023-24012

Summary

A serious security issue allows attackers to create malicious DDS Participants or ROS 2 Nodes utilizing valid certificates, enabling them to take full control of vulnerable DDS databus systems. This vulnerability arises from the improper implementation of S/MIME signature verification via the OpenSSL PKCS7_verify function, which fails to adequately verify permissions within the PKCS#7 certificate’s validation process. Affected systems may be exploited due to their reliance on improper configurations, granting potential unauthorized access and control.

References