RVD#446: Confidentiality loss of the context of the connection during handshake in ROS 2

[vmayoral]

{
    "id": 446,
    "title": "RVD#446: Confidentiality loss of the context of the connection during handshake in ROS 2",
    "type": "vulnerability",
    "description": "First reported at https://issues.omg.org/issues/DDSSEC12-13. Described later in more detailed and studied by R. White et al. in https://arxiv.org/pdf/1908.05310.pdf.\nThis flaw applies to the DDS Security plugins v1.1. All manufacturers complying with this standard are subject to be affected by this flaw. Corresondingly, all ROS 2 installations powered by DDS are subject to be affected by this flaw in the same way. The issue comes from the default authentication DDS security plugin specifications which presently exchanges digitally signed capability lists of both participants in the clear during the crypto handshake for permission attestation; thus breaching confidentiality of the context of the connection.\nIn particular, within DDS, each DomainParticipant must be authenticated prior to joining the DDS domain. \n\n On start, a DomainParticipant authenticates its local identity to others in the network using its own public certificate. This Identity Certificate is signed by the Identity Certificate Authority (CA). Each DomainParticipant will then verify the authentication of a discovered remote peer through a mutual handshake request and reply messages. Among other tokens inside the handshake request, the Identity Certificate and the Domain Participant Permissions of a remote peer will also be included; this information leakage we report in this flaw.",
    "cwe": "CWE-359: Exposure of Private Information ('Privacy Violation')",
    "cve": "None",
    "keywords": [
        "components software",
        "malformed",
        "robot component: FastRTPS",
        "robot component: ROS2",
        "vendor: ADLINK",
        "vendor: RTI",
        "vendor: eProsima",
        "weakness"
    ],
    "system": null,
    "vendor": null,
    "severity": {
        "rvss-score": "None",
        "rvss-vector": "N/A",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/446",
        "https://issues.omg.org/issues/DDSSEC12-13",
        "https://arxiv.org/pdf/1908.05310.pdf"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2018-10-09",
        "detected-by": "Gerardo Pardo-Castellote",
        "detected-by-method": "N/A",
        "date-reported": "2019-08-14",
        "reported-by": "Ruffin White et al. at https://arxiv.org/pdf/1908.05310.pdf, ticket created by Alias Robotics",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/446",
        "reproducibility": "See https://arxiv.org/pdf/1908.05310.pdf",
        "trace": "N/A",
        "reproduction": "See https://arxiv.org/pdf/1908.05310.pdf",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": ""
    }
}

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: CWD ID not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: Attack vector not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: ### Description not present or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[vmayoral]

Elevated and marked for triage.