Security loopholes found in multiple open-source Object Management Group DDS implementations
The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory that addresses a vulnerability that originates within and affects the implementation of the Data-Distribution Service (DDS) standard. The security flaws have been detected in multiple open-source and proprietary Object Management Group (OMG) DDS implementations. In addition, the advisory addresses other vulnerabilities found within the DDS implementation.
CISA issued its advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. DDS implementations are used in applications like aerospace and defense, air-traffic control, autonomous vehicles, medical devices, robotics, power generation, simulation and testing, smart grid management, transportation systems, and other applications that require real-time data exchange.
The affected vendors included in the CISA advisory are Eclipse, eProsima, GurumNetworks, Object Computing Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing.
The advisory found that the following OMG DDS implementations, used in multiple critical infrastructure sectors, were affected, including all versions before 0.8.0 of the Eclipse CycloneDDS, all versions prior to 2.4.0 (#2269) of the eProsima Fast DDS, all versions of the GurumNetworks GurumDDS, and all versions prior to 3.18.1 of the OCI OpenDDS.
The agency also revealed the presence of vulnerabilities in versions 4.2x to 6.1.0 of the RTI Connext DDS Professional and Connext DDS Secure, versions 3.0.0 and later of the RTI Connext DDS Micro, and all versions prior to 5.9.1 of the TwinOaks Computing CoreDX DDS.
CISA said that the identified vulnerabilities include write-what-where condition, improper handling of syntactically invalid structure, network amplification, incorrect calculation of buffer size, heap-based buffer overflow, improper handling of length parameter inconsistency, amplification, and stack-based buffer overflow. The exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure.
Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA, the advisory said. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), Víctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to the research.
Eclipse recommends that its users apply the latest CycloneDDS patches, while eProsima also advised its customers to apply the latest Fast DDS patches. CISA reached out to Gurum Networks but did not respond to requests for coordination.
The agency advised users to contact GurumNetworks for assistance. In the case of OCI, CISA recommends that users update to Version 3.18.1 of OpenDDS or later. RTI recommends users apply the available patches for these issues. A patch is available on the RTI customer portal or by contacting RTI Support. Users can also contact RTI Support for mitigations, including how to use RTI DDS Secure to mitigate against the network amplification issue.
The last vendor, Twin Oaks Computing, recommended that users apply CoreDX DDS Version 5.9.1 or later, which can be downloaded from their Twin Oaks website, though a login was required.
Related
