CVE-2023-24011
Vulnerability from cvelistv5
Published
2025-01-09 14:36
Modified
2025-01-09 20:05
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Summary
An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.
References
cve-coordination@incibe.eshttps://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d
cve-coordination@incibe.eshttps://github.com/ros2/sros2/issues/282
134c704f-9b21-4f2e-91b3-4a467353bcc0https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d
Impacted products
Vendor Product Version
ZettaScale DDS Version: all versions
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-24011",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-09T15:28:56.515535Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-09T15:29:16.101Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            references: [
               {
                  tags: [
                     "exploit",
                  ],
                  url: "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d",
               },
            ],
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               packageName: "sros2",
               product: "DDS",
               vendor: "ZettaScale",
               versions: [
                  {
                     status: "affected",
                     version: "all versions",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "amrc-benmorrow",
            },
            {
               lang: "en",
               type: "finder",
               value: "Gianluca Caizza",
            },
            {
               lang: "en",
               type: "finder",
               value: "Ruffin White",
            },
            {
               lang: "en",
               type: "finder",
               value: "Victor Mayoral Vilches",
            },
            {
               lang: "en",
               type: "finder",
               value: "Mikael Arguedas",
            },
         ],
         datePublic: "2023-02-25T11:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.<br>",
                  },
               ],
               value: "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-200",
                     description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-01-09T20:05:46.897043Z",
            orgId: "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            shortName: "INCIBE",
         },
         references: [
            {
               url: "https://github.com/ros2/sros2/issues/282",
            },
            {
               url: "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer's certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer's certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer's certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer's certificates.",
                  },
               ],
               value: "Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer's certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer's certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer's certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer's certificates.",
            },
         ],
         source: {
            advisory: "RVD#3346",
            discovery: "EXTERNAL",
         },
         title: "Data Distribution Service (DDS) Chain of Trust (CoT) violation vulnerability in Cyclone DDS",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
      assignerShortName: "INCIBE",
      cveId: "CVE-2023-24011",
      datePublished: "2025-01-09T14:36:10.761Z",
      dateReserved: "2023-01-20T12:00:57.059Z",
      dateUpdated: "2025-01-09T20:05:46.897043Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2023-24011\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2025-01-09T15:15:11.657\",\"lastModified\":\"2025-01-09T16:15:31.323\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\",\"source\":\"cve-coordination@incibe.es\"},{\"url\":\"https://github.com/ros2/sros2/issues/282\",\"source\":\"cve-coordination@incibe.es\"},{\"url\":\"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-24011\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T15:28:56.515535Z\"}}}], \"references\": [{\"url\": \"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T15:29:08.460Z\"}}], \"cna\": {\"title\": \"Data Distribution Service (DDS) Chain of Trust (CoT) violation vulnerability in Cyclone DDS\", \"source\": {\"advisory\": \"RVD#3346\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"amrc-benmorrow\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gianluca Caizza\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ruffin White\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Victor Mayoral Vilches\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mikael Arguedas\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ZettaScale\", \"product\": \"DDS\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"packageName\": \"sros2\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer's certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer's certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer's certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer's certificates.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer's certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer's certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer's certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer's certificates.\", \"base64\": false}]}], \"datePublic\": \"2023-02-25T11:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/ros2/sros2/issues/282\"}, {\"url\": \"https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.<br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2025-01-09T20:05:46.897043Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2023-24011\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-09T20:05:46.897043Z\", \"dateReserved\": \"2023-01-20T12:00:57.059Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2025-01-09T14:36:10.761Z\", \"assignerShortName\": \"INCIBE\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.