RVD#450: DDS authentication plugin weakness in prime256v1 curves might lead to data to side channel attacks

vmayoral commented 4 years ago

id: 450
title: 'RVD#450: DDS authentication plugin weakness in prime256v1 curves might lead
  to data to side channel attacks'
type: weakness
description: For the authentication plug-in, a participant is issued acertificate
  based on one of the following types of algorithm/key definitions, RSA 2048 or ECDSA
  256 bits. The authors of SafeCurve states that using prime256v1 curves is notsafe
  due to elliptic-curve discrete logarithm problem beingdifficult and the gap of implementing
  elliptic-curve crypto-graphy (ECC) security, exposing data to side channelattacks.
  Other curves are offered to circumvent these shortcomings.
cwe: None
cve: None
keywords:
- components software
- malformed
- 'robot component: DDS'
- 'robot component: FastRTPS'
- 'robot component: ROS2'
- 'vendor: ADLINK'
- 'vendor: RTI'
- 'vendor: eProsima'
- weakness
system: null
vendor: null
severity:
  rvss-score: None
  rvss-vector: N/A
  severity-description: ''
  cvss-score: 0
  cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/450
flaw:
  phase: unknown
  specificity: N/A
  architectural-location: N/A
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: 2018-06-01 (00:00)
  detected-by: Vincenzo DiLuoffo, William R Michalson and Berk Sunar
  detected-by-method: N/A
  date-reported: 2019-10-07 (00:00)
  reported-by: Alias Robotics
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/450
  reproducibility: ''
  trace: null
  reproduction: ''
  reproduction-image: ''
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: null

github-actions[bot] commented 4 years ago

Feedback (automatically generated):

FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

github-actions[bot] commented 4 years ago

Feedback (automatically generated):

FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration
FIXME: CWD ID not present in summary table or invalid, see for more information or review other tickets and get inspiration
FIXME: Attack vector not present in summary table or invalid, see for more information or review other tickets and get inspiration
FIXME: ### Description not present or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

vmayoral commented 4 years ago

Elevating to vulnerability but needs further triage.

aliasrobotics / RVD

RVD#450: DDS authentication plugin weakness in prime256v1 curves might lead to data to side channel attacks #450

Feedback (automatically generated):

Feedback (automatically generated):