We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-24011

Data Distribution Service (DDS) Chain of Trust (CoT) violation vulnerability in Cyclone DDS



Description

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

Reserved 2023-01-20 | Published 2025-01-09 | Updated 2025-01-09 | Assigner INCIBE


HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

all versions
affected

Credits

amrc-benmorrow finder

Gianluca Caizza finder

Ruffin White finder

Victor Mayoral Vilches finder

Mikael Arguedas finder

References

github.com/ros2/sros2/issues/282

gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d

cve.org (CVE-2023-24011)

nvd.nist.gov (CVE-2023-24011)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-24011

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.