RVD#452: DDS cryptographic plugin, MD-5 vulnerable to pre-image attacks

[vmayoral]

{
    "id": 452,
    "title": "RVD#452: DDS cryptographic plugin, MD-5 vulnerable to pre-image  attacks",
    "type": "bug",
    "description": "The use of MD-5 as stated in the standard for key hash on the data and datafraq of the RTPS encrypted packets seems problematic. MD5 and SHA-1 from a collision set of attacks have been vulnerable, but from pre-image attacks the standard states that no known vulnerabilities have been found. The paper called \u201cFinding Preimages in Full MD5 Faster than Exhaustive Search\u201d details a cryptanalytic pre-image attack on the full MD5; also the National Institute of Standards and Tech-nology (NIST) in 2005 published that SHA-1 shouldn\u2019t beused on future systems, which is a predecessor of MD5.NIST guidelines are pushing for new algorithms to beused while stating SHA-2 is still safe but with the releaseof SH-3 in 2014. SHA-3 might be a better alternative that could be considered. First reported at https://journals.sagepub.com/doi/pdf/10.1177/1729881418770011 by DiLuoffo et al.",
    "cwe": "CWE-327",
    "cve": "None",
    "keywords": [
        "components software",
        "malformed",
        "robot component: DDS",
        "robot component: FastRTPS",
        "robot component: ROS2",
        "vendor: ADLINK",
        "vendor: RTI",
        "vendor: eProsima",
        "weakness"
    ],
    "system": null,
    "vendor": "eProsima, ADLINK, RTI",
    "severity": {
        "rvss-score": "None",
        "rvss-vector": "N/A",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/452",
        "https://journals.sagepub.com/doi/pdf/10.1177/1729881418770011"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2018-06-01 (00:00)",
        "detected-by": "Vincenzo DiLuoffo, William R Michalson and Berk Sunar",
        "detected-by-method": "N/A",
        "date-reported": "2019-10-07 (00:00)\"",
        "reported-by": "Alias Robotics",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/452",
        "reproducibility": "",
        "trace": null,
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": null
    }
}

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: CWD ID not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: Attack vector not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: ### Description not present or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[vmayoral]

Elevating to vulnerability. Needs triage. Connected to https://github.com/aliasrobotics/RVD/issues/451