CVE-2023-24010 (GCVE-0-2023-24010)

Vulnerability from cvelistv5 – Published: 2025-01-09 14:36 – Updated: 2025-01-09 20:05
VLAI?
Summary
An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.
Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
eProsima DDS Affected: all versions
Create a notification for this product.
Credits
amrc-benmorrow Gianluca Caizza Ruffin White Victor Mayoral Vilches Mikael Arguedas
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-24010",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T15:29:56.704739Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T15:30:17.965Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "sros2",
          "product": "DDS",
          "vendor": "eProsima",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "amrc-benmorrow"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Gianluca Caizza"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ruffin White"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Victor Mayoral Vilches"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Mikael Arguedas"
        }
      ],
      "datePublic": "2023-02-25T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures."
            }
          ],
          "value": "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T20:05:48.421277Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "url": "https://github.com/ros2/sros2/issues/282"
        },
        {
          "url": "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer\u0027s certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer\u0027s certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer\u0027s certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer\u0027s certificates."
            }
          ],
          "value": "Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer\u0027s certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer\u0027s certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer\u0027s certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer\u0027s certificates."
        }
      ],
      "source": {
        "advisory": "RVD#3345",
        "discovery": "EXTERNAL"
      },
      "title": "Data Distribution Service (DDS) Chain of Trust (CoT) violation in Fast DDS",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2023-24010",
    "datePublished": "2025-01-09T14:36:05.972Z",
    "dateReserved": "2023-01-20T12:00:57.059Z",
    "dateUpdated": "2025-01-09T20:05:48.421277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.\"}, {\"lang\": \"es\", \"value\": \"Un atacante puede manipular de forma arbitraria participantes maliciosos de DDS (o nodos ROS 2) con certificados v\\u00e1lidos para comprometer y obtener el control total del sistema de bus de datos DDS seguro atacado explotando atributos vulnerables en la configuraci\\u00f3n de validaci\\u00f3n del certificado PKCS#7. Esto se debe a una implementaci\\u00f3n no conforme de la verificaci\\u00f3n de documentos de permiso utilizada por algunos proveedores de DDS. En concreto, un uso indebido de la funci\\u00f3n PKCS7_verify de OpenSSL utilizada para validar firmas S/MIME.\"}]",
      "id": "CVE-2023-24010",
      "lastModified": "2025-01-09T16:15:30.803",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve-coordination@incibe.es\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}]}",
      "published": "2025-01-09T15:15:11.467",
      "references": "[{\"url\": \"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\", \"source\": \"cve-coordination@incibe.es\"}, {\"url\": \"https://github.com/ros2/sros2/issues/282\", \"source\": \"cve-coordination@incibe.es\"}, {\"url\": \"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\", \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]",
      "sourceIdentifier": "cve-coordination@incibe.es",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"cve-coordination@incibe.es\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-24010\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2025-01-09T15:15:11.467\",\"lastModified\":\"2025-01-09T16:15:30.803\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.\"},{\"lang\":\"es\",\"value\":\"Un atacante puede manipular de forma arbitraria participantes maliciosos de DDS (o nodos ROS 2) con certificados v\u00e1lidos para comprometer y obtener el control total del sistema de bus de datos DDS seguro atacado explotando atributos vulnerables en la configuraci\u00f3n de validaci\u00f3n del certificado PKCS#7. Esto se debe a una implementaci\u00f3n no conforme de la verificaci\u00f3n de documentos de permiso utilizada por algunos proveedores de DDS. En concreto, un uso indebido de la funci\u00f3n PKCS7_verify de OpenSSL utilizada para validar firmas S/MIME.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\",\"source\":\"cve-coordination@incibe.es\"},{\"url\":\"https://github.com/ros2/sros2/issues/282\",\"source\":\"cve-coordination@incibe.es\"},{\"url\":\"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-24010\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T15:29:56.704739Z\"}}}], \"references\": [{\"url\": \"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T15:30:12.991Z\"}}], \"cna\": {\"title\": \"Data Distribution Service (DDS) Chain of Trust (CoT) violation in Fast DDS\", \"source\": {\"advisory\": \"RVD#3345\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"amrc-benmorrow\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gianluca Caizza\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ruffin White\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Victor Mayoral Vilches\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mikael Arguedas\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"eProsima\", \"product\": \"DDS\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"packageName\": \"sros2\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer\u0027s certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer\u0027s certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer\u0027s certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer\u0027s certificates.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer\u0027s certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer\u0027s certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer\u0027s certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer\u0027s certificates.\", \"base64\": false}]}], \"datePublic\": \"2023-02-25T11:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/ros2/sros2/issues/282\"}, {\"url\": \"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2025-01-09T20:05:48.421277Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-24010\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-09T20:05:48.421277Z\", \"dateReserved\": \"2023-01-20T12:00:57.059Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2025-01-09T14:36:05.972Z\", \"assignerShortName\": \"INCIBE\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.