RVD#88: Unauthenticated updates in publisher list for specified topic

[aliasbot]

{
    "id": 88,
    "title": "RVD#88: Unauthenticated updates in publisher list for specified topic",
    "type": "vulnerability",
    "description": "*Similar to https://github.com/aliasrobotics/RVDP/issues/87, this vulnerability has previously been discussed in other articles such as  Dieber, B., Breiling, B., Taurer, S., Kacianka, S., Rass, S., & Schartner, P. (2017). Security for the Robot Operating System. Robotics and Autonomous Systems, 98, 192-203.*This vulnerability explits the [ROS Slave API](http://wiki.ros.org/ROS/Slave_API) and in particular, the `publisherUpdate` method which presents the following format:\r\npublisherUpdate(caller_id, topic, publishers)Callback from master of current publisher list for specified topic.Parameterscaller_id (str)ROS caller ID.\r\ntopic (str)Topic name.\r\npublishers ([str])List of current publishers for topic in the form of XMLRPC URIs\r\nReturns (int, str, int)(code, statusMessage, ignore)\r\nAs it can be seen, this method serve as callbacks for the ROS Master  to notify changes in the publishers associated with an specific topic. Most ROS nodes don't poll the Master for updates and instead, merely register for such events. These callbacks are actually the dominant mechanism for discovery and synchronization of data through the ROS1 graph. Specially between the ROS Master and the distributed ROS Nodes.By exploiting this vulnerability, an attacker can potentially modify the list of publishers of an specific topic, affecting selected Nodes while the rest of the ROS isn't affected, nor notices any change.A few assumptions:\r\n- Attack complexity is low due to existing tools that allow to exploit this vulnerability\r\n- Scope is the internal network of the robot\r\n- No safety implications have been remarked since the vulnerability affects a robot (software) component and not a complete system by itself. It should be noted however, that a robotic system using a vulnerable ROS setup could easily cause human harm and thereby affect safety.\r\n",
    "cwe": "CWE-Missing Authentication for Critical Function (CWE-306)",
    "cve": "None",
    "keywords": [
        "components software",
        "malformed",
        "robot component: ROS",
        "severity: high",
        "state: new",
        "vulnerability"
    ],
    "system": "ROS",
    "vendor": "N/A",
    "severity": {
        "rvss-score": 7.1,
        "rvss-vector": "RVSS:1.0/AV:IN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:H/H:N",
        "severity-description": "high",
        "cvss-score": 9.1,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/88"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2018-10-21",
        "detected-by": "",
        "detected-by-method": "N/A",
        "date-reported": "2018-10-21",
        "reported-by": "",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/88",
        "reproducibility": "",
        "trace": null,
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": ""
    }
}

[vmayoral]

Assumptions for a potentially vulnerable robotic system have been added.

[vmayoral]

This vulnerability has been demonstrated at https://github.com/vmayoral/basic_robot_cybersecurity/tree/master/robot_exploitation/tutorial12.

[github-actions]

Feedback (automatically generated):

• FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[github-actions]

Feedback (automatically generated):

• FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.