Lucene search

HistoryAug 24, 2023 - 12:00 a.m.

Ubuntu 22.04 ESM / 23.04 : Fast DDS vulnerabilities (USN-6306-1)

2023-08-2400:00:00

www.tenable.com

ubuntu 22.04

version 23.04

esm

fast dds

vulnerabilities

usn-6306-1

denial of service

information exposure

assertion failure

heap overflow

cve-2021-38425

cve-2023-39534

cve-2023-39945

cve-2023-39946

cve-2023-39947

cve-2023-39948

cve-2023-39949

nessus scanner

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

0.002 Low

EPSS

Percentile

56.6%

JSON

The remote Ubuntu 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6306-1 advisory.

eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of- service condition and information exposure. (CVE-2021-38425)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue.
(CVE-2023-39534)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled BadParamException in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue. (CVE-2023-39945)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper, memcpy is called to first copy the octet’ized length and then to copy the data into properties_.data. At the second memcpy, both data and size can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue. (CVE-2023-39946)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed PID_PROPERTY_LIST parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue. (CVE-2023-39947)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the BadParamException thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue. (CVE-2023-39948)
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue. (CVE-2023-39949)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6306-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(180181);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/23");

  script_cve_id(
    "CVE-2021-38425",
    "CVE-2023-39534",
    "CVE-2023-39945",
    "CVE-2023-39946",
    "CVE-2023-39947",
    "CVE-2023-39948",
    "CVE-2023-39949"
  );
  script_xref(name:"USN", value:"6306-1");

  script_name(english:"Ubuntu 22.04 ESM / 23.04 : Fast DDS vulnerabilities (USN-6306-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-6306-1 advisory.

  - eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a
    specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-
    service condition and information exposure. (CVE-2021-38425)

  - eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
    Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger
    assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue.
    (CVE-2023-39534)

  - eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
    Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port
    raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2,
    2.9.2, and 2.6.5 contain a patch for this issue. (CVE-2023-39945)

  - eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
    Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing
    a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual
    content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to
    first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy,
    both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast
    port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a
    patch for this issue. (CVE-2023-39946)

  - eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
    Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit
    3492270, malformed `PID_PROPERTY_LIST` parameters cause heap overflow at a different program counter. This
    can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for
    this issue. (CVE-2023-39947)

  - eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
    Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not
    caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a
    patch for this issue. (CVE-2023-39948)

  - eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object
    Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to
    remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and
    2.6.5 contain a patch for this issue. (CVE-2023-39949)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6306-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-38425");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/08/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.04");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fastdds-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfastrtps-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.9");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('22.04' >< os_release || '23.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04 / 23.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '22.04', 'pkgname': 'fastdds-tools', 'pkgver': '2.5.0+ds-3ubuntu0.1~esm1'},
    {'osver': '22.04', 'pkgname': 'libfastrtps-dev', 'pkgver': '2.5.0+ds-3ubuntu0.1~esm1'},
    {'osver': '22.04', 'pkgname': 'libfastrtps2.5', 'pkgver': '2.5.0+ds-3ubuntu0.1~esm1'},
    {'osver': '23.04', 'pkgname': 'fastdds-tools', 'pkgver': '2.9.1+ds-1ubuntu0.1'},
    {'osver': '23.04', 'pkgname': 'libfastrtps-dev', 'pkgver': '2.9.1+ds-1ubuntu0.1'},
    {'osver': '23.04', 'pkgname': 'libfastrtps2.9', 'pkgver': '2.9.1+ds-1ubuntu0.1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'fastdds-tools / libfastrtps-dev / libfastrtps2.5 / libfastrtps2.9');
}

VendorProductVersionCPE
canonicalubuntu_linuxlibfastrtps2.9p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.9
canonicalubuntu_linux22.04cpe:/o:canonical:ubuntu_linux:22.04:-:esm
canonicalubuntu_linux23.04cpe:/o:canonical:ubuntu_linux:23.04
canonicalubuntu_linuxfastdds-toolsp-cpe:/a:canonical:ubuntu_linux:fastdds-tools
canonicalubuntu_linuxlibfastrtps-devp-cpe:/a:canonical:ubuntu_linux:libfastrtps-dev
canonicalubuntu_linuxlibfastrtps2.5p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.5

Vendor	Product	Version	CPE
canonical	ubuntu_linux	libfastrtps2.9	p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.9
canonical	ubuntu_linux	22.04	cpe:/o:canonical:ubuntu_linux:22.04:-:esm
canonical	ubuntu_linux	23.04	cpe:/o:canonical:ubuntu_linux:23.04
canonical	ubuntu_linux	fastdds-tools	p-cpe:/a:canonical:ubuntu_linux:fastdds-tools
canonical	ubuntu_linux	libfastrtps-dev	p-cpe:/a:canonical:ubuntu_linux:libfastrtps-dev
canonical	ubuntu_linux	libfastrtps2.5	p-cpe:/a:canonical:ubuntu_linux:libfastrtps2.5