CVE-2023-39946
Heap overflow in push_back_helper due to a CDR message
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.
eprosima Fast DDS es una implementación en C++ del estándar Data Distribution Service del Object Management Group. Antes de las versiones 2.11.1, 2.10.2, 2.9.2 y 2.6.6, se podía desbordar el heap proporcionando un parámetro PID_PROPERTY_LIST que contuviera una cadena CDR con una longitud mayor que el tamaño del contenido real. En `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, se llama a `memcpy` para copiar primero la longitud octet'izada y luego copiar los datos en `properties_.data`. En el segundo memcpy, tanto `data` como `size` pueden ser controlados por cualquiera que envíe la cadena CDR al puerto multicast de descubrimiento. Esto puede bloquear remotamente cualquier proceso Fast-DDS. Las versiones 2.11.1, 2.10.2, 2.9.2 y 2.6.6 contienen un parche para este problema.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-08-07 CVE Reserved
- 2023-08-11 CVE Published
- 2024-09-12 EPSS Updated
- 2024-10-10 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-122: Heap-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc | Third Party Advisory | |
| https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx | Third Party Advisory | |
| https://www.debian.org/security/2023/dsa-5481 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eprosima Search vendor "Eprosima" | Fast Dds Search vendor "Eprosima" for product "Fast Dds" | >= 2.6.0 < 2.6.6 Search vendor "Eprosima" for product "Fast Dds" and version " >= 2.6.0 < 2.6.6" | - |
Affected
| ||||||
| Eprosima Search vendor "Eprosima" | Fast Dds Search vendor "Eprosima" for product "Fast Dds" | >= 2.9.0 < 2.9.2 Search vendor "Eprosima" for product "Fast Dds" and version " >= 2.9.0 < 2.9.2" | - |
Affected
| ||||||
| Eprosima Search vendor "Eprosima" | Fast Dds Search vendor "Eprosima" for product "Fast Dds" | >= 2.10.0 < 2.10.2 Search vendor "Eprosima" for product "Fast Dds" and version " >= 2.10.0 < 2.10.2" | - |
Affected
| ||||||
| Eprosima Search vendor "Eprosima" | Fast Dds Search vendor "Eprosima" for product "Fast Dds" | 2.11.0 Search vendor "Eprosima" for product "Fast Dds" and version "2.11.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0" | - |
Affected
| ||||||