CVE-2023-33566: GitHub - 16yashpatel/CVE-2023-33566: Unauthorized Node Injection Vulnerability in ROS2 Foxy Fitzroy

CVE ID

CVE-2023-33566

Title

Unauthorized Node Injection Vulnerability in ROS2 Foxy Fitzroy

Vulnerability Type

Injection

Severity

TBD (Upon Analysis)

Vendor

The Open Source Robotics Foundation (OSRF)

Products Affected

ROS2 Foxy Fitzroy (ROS_VERSION=2 and ROS_PYTHON_VERSION=3)

Description

An unauthorized node injection vulnerability has been identified in ROS2 Foxy Fitzroy versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. This vulnerability could allow a malicious user to inject malicious ROS2 nodes into the system remotely. Once injected, these nodes could disrupt the normal operations of the system or cause other potentially harmful behavior.

Impact

Successful exploitation of this vulnerability could allow an attacker to inject malicious nodes into the system, disrupting regular operations and potentially leading to unauthorized access or control over robotic operations. Depending on the nature and functionality of the affected system, this could have serious implications.

Attack Vector

This vulnerability can be exploited remotely. The specifics of the attack vector are currently undisclosed.

Solution

Users are advised to update to the latest version as soon as it becomes available and monitor advisories from the ROS2 development team. In the interim, users should consider implementing strict access controls to help mitigate potential unauthorized access.

Workaround

There is currently no known workaround for this vulnerability. The primary mitigation is to update to a patched version as soon as it is available.

CVE Status

Confirmed and published.

Credit

Yash Patel and Dr. Parag Rughani

References

https://dl.acm.org/doi/abs/10.1145/3573910.3573912