search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
176 stars 31 forks source link

Sockets left open and in CLOSE_WAIT state in ROS #90

Closed vmayoral closed 4 years ago

vmayoral commented 5 years ago 
{
    "id": 90,
    "title": "Sockets left open and in CLOSE_WAIT state in ROS",
    "type": "vulnerability",
    "description": "First reported in April 2015 at https://github.com/ros/ros_comm/issues/610, the underlying httplib in ros_comm implements things so that connections are only closed if you are sending the header \"connection: close\". Although a client might close the connection, the socket remains in the `CLOSE_WAIT` state.Marked as CWE-400 but also applicable to CWE-772: Missing Release of Resource after Effective Lifetime. By exploiting this vulnerability, an attacker can start making use of unintended resources and eventually crash the system by requiring an arbitrary number of file descriptors and sockets.A full report and a walkthrough on how to reproduce this attack is available at https://github.com/vmayoral/basic_robot_cybersecurity/tree/master/robot_exploitation/tutorial13.The following script provides a exploit for this vulnerability:\r\nbash\r\n#!/bin/bash\r\nwhile true; do\r\nroslaunch /opt/ros/indigo/share/roscpp_tutorials/launch/talker_listener.launch & sleep 2; kill -INT %+\r\ndone\r\nThe vulnerability affects the following [ROS distributions](http://wiki.ros.org/Distributions):\r\n- ROS Jade Turtle\r\n- ROS Indigo Igloo\r\n- ROS Hydro Medusa\r\n- ROS Groovy Galapagos\r\n- ROS Fuerte Turtle\r\n- ROS Electric Emys\r\n- ROS Diamondback\r\n- ROS C Turtle\r\n- ROS Box TurtleThe following assumptions were made when  calculating the vulnerability scoring:\r\n- Low privileges are required to execute \r\n- Since the vulnerability applies to the robotics framework, no safety hazards are assumed. It's important to not though that this vulnerability can bring down a complete robot or a robotic system and cause human harm or material damages. In that case, the scoring should be re-assessed.",
    "cwe": "CWE-400",
    "cve": "None",
    "keywords": [
        "components software",
        "robot component: ROS",
        "severity: medium",
        "vulnerability"
    ],
    "system": "ROS (Jade and before)",
    "vendor": "N/A",
    "severity": {
        "rvss-score": "5.6",
        "rvss-vector": "RVSS:1.0/AV:IN/AC:L/PR:L/UI:N/Y:M/S:U/C:N/I:N/A:H/H:N",
        "severity-description": "medium",
        "cvss-score": 6.5,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/90"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "ROS-specific",
        "architectural-location": "platform code",
        "application": "N/A",
        "subsystem": "cognition:framework:ros",
        "package": "ros_comm",
        "languages": "None",
        "date-detected": "2015-04-27",
        "detected-by": "",
        "detected-by-method": "N/A",
        "date-reported": "2018-11-2",
        "reported-by": "",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/90",
        "reproducibility": "",
        "trace": null,
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "Close half closed sockets",
        "pull-request": "https://github.com/ros/ros_comm/pull/1104. See https://github.com/ros/ros_comm/issues/610 (issue) for more details.",
        "date-mitigation": "2017-08-15",
    }
}
github-actions[bot] commented 4 years ago

Feedback (automatically generated):

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.