Upgrade Fast-DDS Now to Patch Remote Crash Vulnerability

CVECVE-2023-42459
CVSScvssV3_1: 8.6
SourceCVE-2023-42459

Fast-DDS, an open-source implementation of the DDS standard for building distributed robotics and IoT applications, was found to have a vulnerability that could allow remote code execution.

Attackers could send specially crafted DATA submessages to a discovery locator in Fast-DDS, triggering a memory error that would crash the process. Since the pointer would be freed but potentially still under the attacker’s control, this could lead to further exploitation through a double-free vulnerability.

In simple terms, malicious actors on the same network as Fast-DDS applications could cause the program to crash simply by sending malformed messages. And because of the way memory was handled during the crash, there may be an opportunity for the attacker to execute arbitrary code on the targeted system.

Luckily, the Fast-DDS developers have addressed this issue in recent versions 2.12.0, 2.11.3, 2.10.3 and 2.6.7. It’s important that any Fast-DDS users upgrade immediately to one of these patched versions, as older installations are vulnerable to remote attacks.

While network segmentation and firewalls provide some protection, upgrading Fast-DDS eliminates the vulnerability completely. Robotics, IoT and other distributed systems relying on Fast-DDS for connectivity should prioritize updating to prevent potential remote exploits of this issue.

References