Improving the security of Data Distribution Service (DDS) for ROS 2 robotic systems

Together with researchers from Trend Micro Research, TXOne and ADLINK, Alias Robotics looked into the Data Distribution Service (DDS) standard which is the underlying communication middleware of the Robot Operating System (ROS). The full findings of this research got presented in various past sessions before including BlackHat Europe 2021, ROS Industrial Europe Conference, and the ROS 2 Security Working Group:

The results have been responsibly disclosed to affected parties over the past few months. We also followed a coordinated disclosure approach in cooperation with authorities, which was made public first in this security advisory 16, and later in our public talks.

The major robotics technology impacted by this research is the Robot Operating System (ROS), the de facto standard for robot application development that uses DDS as its communication middleware. ROS is a framework for creating robot behaviors that comprises various stacks and capabilities for message passing, perception, navigation, manipulation or security, among others. It's estimated that by 2024, 55% of the total commercial robots will be shipping at least one ROS package. ROS is to roboticists what Linux is to computer scientists.

CVE ID Description Scope CVSS Notes
CVE-2021-38445 OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code. OpenDDS, ROS 2* 7.0 Failed assertion >= 3.18.1
CVE-2021-38447 OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition. OpenDDS, ROS 2* 8.6 Resource exhaustion >= 3.18.1
CVE-2021-38435 RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later do not correctly calculate the size when allocating the buffer, which may result in a buffer overflow ConnextDDS, ROS 2* 8.6 Segmentation fault via network >= 6.1.0
CVE-2021-38423 All versions of GurumDDS improperly calculate the size to be used when allocating the buffer, which may result in a buffer overflow. GurumDDS, ROS 2* 8.6 Segmentation fault via network
CVE-2021-38439 All versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code. GurumDDS, ROS 2* 8.6 Heap-overflow via network
CVE-2021-38437 GurumDDS, ROS 2* 7.3 Unmaintained XML lib.
CVE-2021-38441 Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. CycloneDDS, ROS 2* 6.6 Heap-write in XML parser
CVE-2021-38443 Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. CycloneDDS, ROS 2* 6.6 8-bytes heap-write in XML parser
CVE-2021-38427 RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code RTI ConnextDDS, ROS 2* 6.6 Stack overflow in XML parser >= 6.1.0
CVE-2021-38433 RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code. RTI ConnextDDS, ROS 2* 6.6 Stack overflow in XML parser >= 6.1.0
CVE-2021-38487 RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later are vulnerable when an attacker sends a specially crafted packet to flood victims’ devices with unwanted traffic, which may result in a denial-of-service condition. ConnextDDS, ROS 2* 8.6 Mitigation patch in >= 6.1.0
CVE-2021-38429 OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood victims’ devices with unwanted traffic, which may result in a denial-of-service condition. OpenDDS, ROS 2* 8.6 Mitigation patch in >= 3.18.1
CVE-2021-38425 eProsima Fast-DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition. eProsima Fast-DDS, ROS 2* 8.6 WIP mitigation in master

Finding vulnerable DDS endpoints

By measuring the exposure of DDS services, in one month we found 643 distinct public-facing DDS services in 34 countries affecting 100 organizations via 89 internet service providers (ISPs). Of the DDS implementations by seven distinct vendors (one of which we were initially unaware of), 202 leaked private IP addresses (referring to internal network architecture details), and 7 supposedly secret URLs.

Some of these IP addresses expose unpatched or outdated DDS implementations, which are affected by some of the vulnerabilities that we’ve discovered and disclosed in November.

This research is from the collaboration of Alias Robotics, Trend Micro Research and TXOne Networks and ADLINK. We analyzed the specifications of DDS and the 6 implementations maintained by certified vendors with millions of deployments globally. During our research, we interviewed key DDS users and system integrators to collect their feedback on our findings and the importance of DDS for innovation in their respective sectors.

DDS development environment exposed to the internet

While monitoring for exposed continuous-integration/continuous-deployment (CI/CD) systems via Shodan, we found that one DDS developer left their custom CI/CD environment fully exposed to the internet with default credentials. Despite our numerous attempts to contact this vendor, including through vulnerability brokers and Computer Emergency Readiness Teams (CERTs), we received no response. Fortunately, the exposed system was properly locked down after a few months.

Left open, this could have let a malicious actor wipe, steal, or trojanize their most valuable intellectual property — the source code.

An exposed continuous integration system used by a DDS developer, with default access credentials in plaintext

The Robot Immune System (RIS)

Alias Robotics' Robot Immune System (RIS) customers are protected against the findings in this research, particularly against reflection attacks including CVE-2021-38487, CVE-2021-38429 and CVE-2021-38425. In addition, RIS firewall can be customized to block incoming DDS and ROS 2 footprinting efforts.

We are working on new capabilities that allow RIS to introspect other DDS and ROS 2 participants, finding out when one of these uses a vulnerable version of DDS and reporting it appropriately.