Open vmayoral opened 4 years ago
This vulnerability needs further triaged. It has been produced from my readings of the documentation and source code but now PoC is available at the moment.
Aside from a PoC, and a possible mitigation this looks good to me as is.
Yeap, I don't have bandwith nor resources now for putting together a PoC but I'm somewhat confident this should be feasible. Leaving it as triage
required.
Hopefully we'll get resources to fund further research and work things like this out.
Confirmed simple PoC. Referring back to https://github.com/aliasrobotics/RVD/issues/3316.
Can you provide details of your PoC? In ArduPilot signing is available, so for this vulnerability to be real you'd need to be able to inject a valid message into a signed MAVLink2 stream, and have it parsed and actioned - without a valid signing key. I'd like to see proof that that is possible - else you should remove ArduPilot from this vulnerability. If you read your own links above, from the MAVLink documentation "If signing is enabled then the vehicle should immediately start sending signed MAVLink 2 on startup".