CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
57.1%
The remote Ubuntu 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6306-1 advisory.
eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of- service condition and information exposure. (CVE-2021-38425)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue.
(CVE-2023-39534)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled BadParamException
in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue. (CVE-2023-39945)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper
, memcpy
is called to first copy the octet’ized length and then to copy the data into properties_.data
. At the second memcpy, both data
and size
can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue. (CVE-2023-39946)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed PID_PROPERTY_LIST
parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue. (CVE-2023-39947)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the BadParamException
thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue. (CVE-2023-39948)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue. (CVE-2023-39949)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6306-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(180181);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/23");
script_cve_id(
"CVE-2021-38425",
"CVE-2023-39534",
"CVE-2023-39945",
"CVE-2023-39946",
"CVE-2023-39947",
"CVE-2023-39948",
"CVE-2023-39949"
);
script_xref(name:"USN", value:"6306-1");
script_name(english:"Ubuntu 22.04 ESM / 23.04 : Fast DDS vulnerabilities (USN-6306-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-6306-1 advisory.
- eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a
specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-
service condition and information exposure. (CVE-2021-38425)
- eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger
assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue.
(CVE-2023-39534)
- eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port
raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2,
2.9.2, and 2.6.5 contain a patch for this issue. (CVE-2023-39945)
- eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing
a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual
content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to
first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy,
both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast
port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a
patch for this issue. (CVE-2023-39946)
- eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit
3492270, malformed `PID_PROPERTY_LIST` parameters cause heap overflow at a different program counter. This
can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for
this issue. (CVE-2023-39947)
- eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not
caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a
patch for this issue. (CVE-2023-39948)
- eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to
remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and
2.6.5 contain a patch for this issue. (CVE-2023-39949)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6306-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-38425");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/05");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:esm");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.04");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fastdds-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfastrtps-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.5");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.9");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('22.04' >< os_release || '23.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04 / 23.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '22.04', 'pkgname': 'fastdds-tools', 'pkgver': '2.5.0+ds-3ubuntu0.1~esm1'},
{'osver': '22.04', 'pkgname': 'libfastrtps-dev', 'pkgver': '2.5.0+ds-3ubuntu0.1~esm1'},
{'osver': '22.04', 'pkgname': 'libfastrtps2.5', 'pkgver': '2.5.0+ds-3ubuntu0.1~esm1'},
{'osver': '23.04', 'pkgname': 'fastdds-tools', 'pkgver': '2.9.1+ds-1ubuntu0.1'},
{'osver': '23.04', 'pkgname': 'libfastrtps-dev', 'pkgver': '2.9.1+ds-1ubuntu0.1'},
{'osver': '23.04', 'pkgname': 'libfastrtps2.9', 'pkgver': '2.9.1+ds-1ubuntu0.1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'fastdds-tools / libfastrtps-dev / libfastrtps2.5 / libfastrtps2.9');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38425
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39534
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39945
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39946
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39947
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39948
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39949
ubuntu.com/security/notices/USN-6306-1
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
57.1%