RVD#453: Prediction number attacks on sequence number during RTPS initialization (affects authentication and access DDS security plugins)

[vmayoral]

id: 453
title: 'RVD#453: Prediction number attacks on sequence number during RTPS initialization
  (affects authentication and  access DDS security plugins)'
type: weakness
description: "The DDS Security standard states that, before authentication and access\
  \ control can begin, the RTPS protocol is initialized with a sequence number that\
  \ may be susceptible to prediction number attacks. Randomizing can\u2019t be implemented\
  \ using RTPS, since it\u2019s data centric. The authentication and access plugins\
  \ need to check the sequence numbering for each of the messages being received or\
  \ implement their own mechanism to mitigate prediction number attack. The RTPS specifications\
  \ support endpoint checks, but no DDS built-in exists to access the underlining\
  \ RTPS implementation for these checks. DDS built-ins are a predefined set of services\
  \ supported by the vendor\u2019s implementation to perform functions, like disco-vering\
  \ other participants on the network. So, in the case of DDS built-ins to check for\
  \ prediction number attacks, this hasn\u2019t made it into a supported feature.\
  \ First reported at https://journals.sagepub.com/doi/pdf/10.1177/1729881418770011\
  \ by DiLuoffo et al."
cwe: CWE-340
cve: None
keywords:
- CWE-340
- components software
- malformed
- 'robot component: DDS'
- 'robot component: FastRTPS'
- 'robot component: ROS2'
- 'vendor: ADLINK'
- 'vendor: RTI'
- 'vendor: eProsima'
- weakness
system: null
vendor: eProsima, ADLINK, RTI
severity:
  rvss-score: None
  rvss-vector: N/A
  severity-description: ''
  cvss-score: 0
  cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/453
- https://journals.sagepub.com/doi/pdf/10.1177/1729881418770011
flaw:
  phase: unknown
  specificity: N/A
  architectural-location: N/A
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: '2018-05-01'
  detected-by: Vincenzo DiLuoffo, William R Michalson and Berk Sunar
  detected-by-method: N/A
  date-reported: '2018-10-07'
  reported-by: Alias Robotics
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/453
  reproducibility: ''
  trace: null
  reproduction: ''
  reproduction-image: ''
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: ''

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: CWD ID not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: Attack vector not present in summary table or invalid, see for more information or review other tickets and get inspiration
• FIXME: ### Description not present or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[vmayoral]

Added relevant dates to the ticket. Some further triage for reproducing this issue and/or describing the vulnerability in more detail is required (e.g. defining the severity, asking for a CVE id, etc.)