Open vmayoral opened 4 years ago
cve: CVE-2019-19625 cwe: CWE-200 (Information Exposure) description: We found that SROS 2, the tools to generate and distribute keys for ROS 2 and use the underlying security plugins of DDS from ROS 2 leak node information due to a leaky default configuration as inidicated at https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13. This exposure was first raised in the Security Workshop of ROSCon 2019 (Nov. 2019). Further debugging the flaw indicates that there might be some additional underlying issues. exploitation: description: A simple use of ros2cli allows to exploit this flaw. See https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF for a walkthrough. exploitation-image: Not available exploitation-vector: Not available exploitation-recipe: networks: - network: - driver: overlay - name: net1 - encryption: true - subnet: 12.0.0.0/24 - network: - driver: overlay - name: net2 - encryption: false - subnet: 13.0.0.0/24 containers: - container: - name: subject1 - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258 - network: net1 - container: - name: subject2 - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258 - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom - network: net1 - container: - name: attacker - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258 - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_aztarna - network: - net1 - net2 flow: - container: - name: subject1 - window: - name: unsecure - commands: - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=0" - command: "ros2 run demo_nodes_cpp talker" - split: horizontal - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=0" - command: "env | grep ROS" # this shows there's no security enabled at this point - select: unsecure - container: - name: subject2 - window: - name: secure - commands: - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=1" - command: "env | grep ROS" # this shows there's no security enabled at this point - command: "ros2 run demo_nodes_cpp talker" - command: "export ROS_SECURITY_ENABLE=true" - command: "export ROS_SECURITY_STRATEGY=Enforce" - command: "export ROS_SECURITY_ROOT_DIRECTORY=/opt/ros2_ws/keystore" - command: "export ROS_SECURITY_LOOKUP_TYPE=MATCH_PREFIX" - command: "env | grep ROS" # from this point on, there's security enabled - command: "ros2 run demo_nodes_cpp talker" - split: horizontal - command: "source /opt/ros2_ws/install/setup.bash" - command: "export ROS_DOMAIN_ID=1" - command: "cd /opt/ros2_ws/" - command: "mkdir policy" # generate a security policy based on our current graph - command: "ros2 security generate_policy policy/my_policy.xml" - command: "cat policy/my_policy.xml" # populated the keystore for all profiles - command: "ros2 security generate_artifacts -k keystore -p policy/my_policy.xml -n /_ros2cli" - command: "kill -9 $(pidof talker)" - select: secure - container: - name: attacker - window: - name: attacker_window - commands: - command: "source /opt/ros2_ws/install/setup.bash" - command: "aztarna -t ros2 -d 0 --daemon -e" - split: horizontal - command: "source /opt/ros2_ws/install/setup.bash" - type: "aztarna -t ros2 -d 1 --daemon -e" - select: attacker_window - attach: subject2 flaw: application: any ROS 2 node communicating architectural-location: platform code date-detected: null date-reported: '2019-12-06' detected-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics) detected-by-method: runtime detection issue: https://github.com/aliasrobotics/RVD/issues/922 languages: Python package: sros2 phase: runtime-operation reported-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics) reported-by-relationship: security researcher reproducibility: always reproduction: https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF reproduction-image: Not available specificity: ROS-specific subsystem: cognition:middleware trace: N/A id: 922 keywords: - Robot Operating System 2 - ROS 2 - eloquent - dashing links: - https://ros-swg.github.io/ROSCon19_Security_Workshop/ - https://github.com/ros-swg/turtlebot3_demo - https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13 - https://design.ros2.org/articles/ros2_dds_security.html - https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF mitigation: date-mitigation: null description: Modify the policy and set rtps_protection_kind to ENCRYPT pull-request: https://github.com/ros2/sros2/pull/171 severity: cvss-score: 7.5 cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N rvss-score: 6.5 rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:N/H:N severity-description: high system: ros2 title: 'RVD#922: SROS2 leaks node information' type: exposure vendor: ''
Ticket updated, PR added.
alurity.yml