9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:N/A:C
0.003 Low
EPSS
Percentile
68.8%
CISA is aware of a public report detailing vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations. This advisory addresses a vulnerability that originates within, and affects the implementation of, the DDS standard. In addition, this advisory addresses other vulnerabilities found within the DDS implementation. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
This updated advisory is a follow-up to the original advisory titled ICSA-21-315-02 Multiple Data Distribution Service (DDS) Implementations that was published November 11, 2021, to the ICS webpage on www.cisa.gov/uscert.
Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure.
The following implementations of OMG DDS are affected:
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.
CVE-2021-38441 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.
CVE-2021-38443 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.
--------- Begin Update A Part 1 of 4---------
CVE-2021-38425 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
--------- End Update A Part 1 of 4 ---------
All versions of GurumDDS improperly calculate the size to be used when allocating the buffer, which may result in a buffer overflow.
CVE-2021-38423 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
All versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code.
CVE-2021-38439 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).
OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-38445 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.
CVE-2021-38447 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).
OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure.
--------- Begin Update A Part 2 of 4 ---------
CVE-2021-38429 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
--------- End Update A Part 2 of 4 ---------
RTI Connext DDS Professional and Connext DDS Secure Versions 4.2.x to 6.1.0 are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code.
CVE-2021-38427 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
RTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code.
CVE-2021-38433 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
RTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 not correctly calculate the size when allocating the buffer, which may result in a buffer overflow.
CVE-2021-38435 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.
--------- Begin Update A Part 3 of 4 ---------
CVE-2021-38487 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
--------- End Update A Part 3 of 4 ---------
TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.
--------- Begin Update A Part 4 of 4 ---------
CVE-2021-43547 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
--------- End Update A Part 4 of 4 ---------
Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), VΓctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research.
Eclipse recommends users apply the latest CycloneDDS patches.
eProsima recommends users apply the latest Fast DDS patches.
CISA reached out to Gurum Networks but did not respond to requests for coordination. Users should contact GurumNetworks for assistance.
OCI recommends users update to Version 3.18.1 of OpenDDS or later.
RTI recommends users apply the available patches for these issues. A patch is available on the RTI customer portal or by contacting RTI Support. Also, contact RTI Support for mitigations, including how to use RTI DDS Secure to mitigate against the network amplification issue defined by CVE-2021-38487
Twin Oaks Computing recommends users apply CoreDX DDS Version 5.9.1 or later, which can be downloaded on the Twin Oaks website (login required).
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38423
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38425
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38427
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38429
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38433
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38435
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38439
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38441
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38443
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38445
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38447
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38487
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38487
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43547
www.twinoakscomputing.com/coredx/download
cwe.mitre.org/data/definitions/121.html
cwe.mitre.org/data/definitions/121.html
cwe.mitre.org/data/definitions/122.html
cwe.mitre.org/data/definitions/123.html
cwe.mitre.org/data/definitions/130.html
cwe.mitre.org/data/definitions/131.html
cwe.mitre.org/data/definitions/131.html
cwe.mitre.org/data/definitions/228.html
cwe.mitre.org/data/definitions/405.html
cwe.mitre.org/data/definitions/406.html
cwe.mitre.org/data/definitions/406.html
cwe.mitre.org/data/definitions/406.html
cwe.mitre.org/data/definitions/406.html
github.com/eProsima/Fast-DDS
opendds.org/
projects.eclipse.org/projects/iot.cyclonedds
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
twitter.com/CISAgov
twitter.com/intent/tweet?text=Multiple%20Data%20Distribution%20Service%20%28DDS%29%20Implementations%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-02
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-02&title=Multiple%20Data%20Distribution%20Service%20%28DDS%29%20Implementations%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Multiple%20Data%20Distribution%20Service%20%28DDS%29%20Implementations%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-21-315-02
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:N/A:C
0.003 Low
EPSS
Percentile
68.8%