Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.
{"cve": [{"lastseen": "2023-02-09T14:28:24", "description": "Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T17:15:00", "type": "cve", "title": "CVE-2021-38441", "cwe": ["CWE-123"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38441"], "modified": "2022-05-13T03:53:00", "cpe": [], "id": "CVE-2021-38441", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38441", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "ubuntucve": [{"lastseen": "2022-10-26T13:17:51", "description": "Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a\nwrite-what-where condition, which may allow an attacker to write arbitrary\nvalues in the XML parser.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T00:00:00", "type": "ubuntucve", "title": "CVE-2021-38441", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38441"], "modified": "2022-05-05T00:00:00", "id": "UB:CVE-2021-38441", "href": "https://ubuntu.com/security/CVE-2021-38441", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-03-14T18:28:31", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.6**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendors: **Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing\n * **Equipment: **CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, CoreDX DDS\n * **Vulnerabilities:** Write-what-where Condition, Improper Handling of Syntactically Invalid Structure, Network Amplification, Incorrect Calculation of Buffer Size, Heap-based Buffer Overflow, Improper Handling of Length Parameter Inconsistency, Amplification, Stack-based Buffer Overflow\n\nCISA is aware of a public report detailing vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations. This advisory addresses a vulnerability that originates within, and affects the implementation of, the DDS standard. In addition, this advisory addresses other vulnerabilities found within the DDS implementation. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-315-02 Multiple Data Distribution Service (DDS) Implementations that was published November 11, 2021, to the ICS webpage on www.cisa.gov/uscert.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following implementations of OMG DDS are affected:\n\n * Eclipse CycloneDDS: All versions prior to 0.8.0\n * eProsima Fast DDS: All versions prior to 2.4.0 (#2269)\n * GurumNetworks GurumDDS: All versions\n * Object Computing, Inc. (OCI) OpenDDS: All versions prior to 3.18.1\n * Real-Time Innovations (RTI) Connext DDS Professional and Connext DDS Secure: Versions 4.2x to 6.1.0\n * RTI Connext DDS Micro: Versions 3.0.0 and later\n * TwinOaks Computing CoreDX DDS: All versions prior to 5.9.1\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [WRITE-WHAT-WHERE CONDITION CWE-123](<https://cwe.mitre.org/data/definitions/123.html>)\n\nEclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.\n\n[CVE-2021-38441](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38441>) has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.2 [IMPROPER HANDLING OF SYNTACTICALLY INVALID STRUCTURE CWE-228](<https://cwe.mitre.org/data/definitions/228.html>)\n\nEclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.\n\n[CVE-2021-38443](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38443>) has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.3 [INSUFFICIENT CONTROL OF NETWORK MESSAGE VOLUME (NETWORK AMPLIFICATION) CWE-406](<https://cwe.mitre.org/data/definitions/406.html>)\n\neProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.\n\n**\\--------- Begin Update A Part 1 of 4---------**\n\n[CVE-2021-38425](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38425>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n**\\--------- End Update A Part 1 of 4 ---------**\n\n#### 4.2.4 [INCORRECT CALCULATION OF BUFFER SIZE CWE-131](<https://cwe.mitre.org/data/definitions/131.html>)\n\nAll versions of GurumDDS improperly calculate the size to be used when allocating the buffer, which may result in a buffer overflow.\n\n[CVE-2021-38423](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38423>) has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.5 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nAll versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code.\n\n[CVE-2021-38439](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38439>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.6 [IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130](<https://cwe.mitre.org/data/definitions/130.html>)\n\nOCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code.\n\n[CVE-2021-38445](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38445>) has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.7 [ASYMMETRIC RESOURCE CONSUMPTION (AMPLIFICATION) CWE-405](<https://cwe.mitre.org/data/definitions/405.html>)\n\nOCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.\n\n[CVE-2021-38447](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38447>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.8 [INSUFFICIENT CONTROL OF NETWORK MESSAGE VOLUME (NETWORK AMPLIFICATION) CWE-406](<https://cwe.mitre.org/data/definitions/406.html>)\n\nOCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure.\n\n**\\--------- Begin Update A Part 2 of 4 ---------**\n\n[CVE-2021-38429](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38429>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n**\\--------- End Update A Part 2 of 4 ---------**\n\n#### 4.2.9 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nRTI Connext DDS Professional and Connext DDS Secure Versions 4.2.x to 6.1.0 are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code.\n\n[CVE-2021-38427](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38427>) has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.10 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nRTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code.\n\n[CVE-2021-38433](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38433>) has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.11 [INCORRECT CALCULATION OF BUFFER SIZE CWE-131](<https://cwe.mitre.org/data/definitions/131.html>)\n\nRTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 not correctly calculate the size when allocating the buffer, which may result in a buffer overflow.\n\n[CVE-2021-38435](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38435>) has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H>)).\n\n#### 4.2.12 [INSUFFICIENT CONTROL OF NETWORK MESSAGE VOLUME (NETWORK AMPLIFICATION) CWE-406](<https://cwe.mitre.org/data/definitions/406.html>)\n\nRTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.\n\n**\\--------- Begin Update A Part 3 of 4 ---------**\n\n[CVE-2021-38487](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38487>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n**\\--------- End Update A Part 3 of 4 ---------**\n\n#### 4.2.13 [INSUFFICIENT CONTROL OF NETWORK MESSAGE VOLUME (NETWORK AMPLIFICATION) CWE-406](<https://cwe.mitre.org/data/definitions/406.html>)\n\nTwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.\n\n**\\--------- Begin Update A Part 4 of 4 ---------**\n\n[CVE-2021-43547](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43547>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n**\\--------- End Update A Part 4 of 4 ---------**\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Multiple\n\n### 4.4 RESEARCHER\n\nFederico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), V\u00edctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research.\n\n## 5\\. MITIGATIONS\n\nEclipse recommends users apply the [latest CycloneDDS patches](<https://projects.eclipse.org/projects/iot.cyclonedds>).\n\neProsima recommends users apply the [latest Fast DDS patches](<https://github.com/eProsima/Fast-DDS>).\n\nCISA reached out to Gurum Networks but did not respond to requests for coordination. Users should [contact GurumNetworks](<mailto:contact@gurum.cc>) for assistance.\n\nOCI recommends users update to [Version 3.18.1](<https://opendds.org/>) of OpenDDS or later.\n\nRTI recommends users apply the available patches for these issues. A patch is available on the [RTI customer portal](<https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F>) or by contacting RTI Support. Also, contact [RTI Support](<mailto:support@rti.com>) for mitigations, including how to use RTI DDS Secure to mitigate against the network amplification issue defined by [CVE-2021-38487](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38487>)\n\nTwin Oaks Computing recommends users apply CoreDX DDS Version 5.9.1 or later, which can be downloaded on the [Twin Oaks website](<http://www.twinoakscomputing.com/coredx/download>) (login required).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://www.cisa.gov/uscert/ics/recommended-practices>) on the ICS webpage on [cisa.gov](<https://www.cisa.gov/uscert/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on cisa.gov](<https://www.cisa.gov/uscert/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n### Vendor\n\nMultiple\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T12:00:00", "type": "ics", "title": "Multiple Data Distribution Service (DDS) Implementations (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38423", "CVE-2021-38425", "CVE-2021-38427", "CVE-2021-38429", "CVE-2021-38433", "CVE-2021-38435", "CVE-2021-38439", "CVE-2021-38441", "CVE-2021-38443", "CVE-2021-38445", "CVE-2021-38447", "CVE-2021-38487", "CVE-2021-43547"], "modified": "2022-02-01T12:00:00", "id": "ICSA-21-315-02", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-02", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}]}
CVE-2021-38441
