aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
179 stars 31 forks source link

RVD#446: Confidentiality loss of the context of the connection during handshake in ROS 2 #446

Open vmayoral opened 5 years ago

vmayoral commented 5 years ago
{
    "id": 446,
    "title": "RVD#446: Confidentiality loss of the context of the connection during handshake in ROS 2",
    "type": "vulnerability",
    "description": "First reported at https://issues.omg.org/issues/DDSSEC12-13. Described later in more detailed and studied by R. White et al. in https://arxiv.org/pdf/1908.05310.pdf.\nThis flaw applies to the DDS Security plugins v1.1. All manufacturers complying with this standard are subject to be affected by this flaw. Corresondingly, all ROS 2 installations powered by DDS are subject to be affected by this flaw in the same way. The issue comes from the default authentication DDS security plugin specifications which presently exchanges digitally signed capability lists of both participants in the clear during the crypto handshake for permission attestation; thus breaching confidentiality of the context of the connection.\nIn particular, within DDS, each DomainParticipant must be authenticated prior to joining the DDS domain. \n\n On start, a DomainParticipant authenticates its local identity to others in the network using its own public certificate. This Identity Certificate is signed by the Identity Certificate Authority (CA). Each DomainParticipant will then verify the authentication of a discovered remote peer through a mutual handshake request and reply messages. Among other tokens inside the handshake request, the Identity Certificate and the Domain Participant Permissions of a remote peer will also be included; this information leakage we report in this flaw.",
    "cwe": "CWE-359: Exposure of Private Information ('Privacy Violation')",
    "cve": "None",
    "keywords": [
        "components software",
        "malformed",
        "robot component: FastRTPS",
        "robot component: ROS2",
        "vendor: ADLINK",
        "vendor: RTI",
        "vendor: eProsima",
        "weakness"
    ],
    "system": null,
    "vendor": null,
    "severity": {
        "rvss-score": "None",
        "rvss-vector": "N/A",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/446",
        "https://issues.omg.org/issues/DDSSEC12-13",
        "https://arxiv.org/pdf/1908.05310.pdf"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2018-10-09",
        "detected-by": "Gerardo Pardo-Castellote",
        "detected-by-method": "N/A",
        "date-reported": "2019-08-14",
        "reported-by": "Ruffin White et al. at https://arxiv.org/pdf/1908.05310.pdf, ticket created by Alias Robotics",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/446",
        "reproducibility": "See https://arxiv.org/pdf/1908.05310.pdf",
        "trace": "N/A",
        "reproduction": "See https://arxiv.org/pdf/1908.05310.pdf",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": ""
    }
}
github-actions[bot] commented 5 years ago

Feedback (automatically generated):

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

github-actions[bot] commented 5 years ago

Feedback (automatically generated):

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

vmayoral commented 4 years ago

Elevated and marked for triage.