CVE-2023-33567: GitHub - 16yashpatel/CVE-2023-33567: Unauthorized Access Vulnerability in ROS2 Foxy Fitzroy

CVE ID

CVE-2023-33567

Title

Unauthorized Access Vulnerability in ROS2 Foxy Fitzroy

Vulnerability Type

Unauthorized Access

Severity

TBD (Upon Analysis)

Vendor

The Open Source Robotics Foundation (OSRF)

Products Affected

ROS2 Foxy Fitzroy (ROS_VERSION=2 and ROS_PYTHON_VERSION=3)

Description

An unauthorized access vulnerability has been discovered in ROS2 Foxy Fitzroy versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. This vulnerability could potentially allow a malicious user to gain unauthorized access to multiple ROS2 nodes remotely. Unauthorized access to these nodes could result in compromised system integrity, the execution of arbitrary commands, and disclosure of sensitive information.

Impact

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to multiple ROS2 nodes, leading to a compromise of system integrity and potential loss of confidentiality and control over robotic operations. Depending on the nature and functionality of the affected system, this could have severe implications.

Attack Vector

This vulnerability can be exploited remotely. The specifics of the attack vector are currently undisclosed.

Solution

Users are advised to update to the latest version as soon as it becomes available and monitor advisories from the ROS2 development team. In the interim, users should consider implementing strict access controls and use strong, unique credentials to help mitigate potential unauthorized access.

Workaround

There is currently no known workaround for this vulnerability. The primary mitigation is to update to a patched version as soon as it is available.

CVE Status

Confirmed and published.

Credit

Yash Patel and Dr. Parag Rughani

References

https://dl.acm.org/doi/abs/10.1145/3573910.3573912