CVE-ID
CVE-2023-33565
Title
Denial-of-Service (DoS) Vulnerability in ROS2 Foxy Fitzroy
Vulnerability Type
Denial-of-Service (DoS)
Severity
TBD (Upon Analysis)
Vendor
The Open Source Robotics Foundation (OSRF)
Products Affected
ROS2 Foxy Fitzroy (ROS_VERSION=2 and ROS_PYTHON_VERSION=3)
Description
A Denial-of-Service (DoS) vulnerability exists in ROS2 Foxy Fitzroy versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. A malicious user could potentially exploit this vulnerability remotely to crash the ROS2 nodes, thereby causing a denial of service. The flaw allows an attacker to cause unexpected behavior in the operation of ROS2 nodes, which leads to their failure and interrupts the regular operation of the system, thus making it unavailable for its intended users.
Impact
Successful exploitation of this vulnerability could allow an attacker to exhaust resources, cause a crash, or interrupt the operation of ROS2 nodes leading to a Denial-of-Service condition. Depending on the nature of the services offered by the affected system, this could have significant implications, including loss of control over robotic operations.
Attack Vector
This vulnerability can be exploited remotely. The specifics of the attack vector are currently undisclosed.
Solution
Users are advised to update to the latest version as soon as it becomes available and monitor advisories from the ROS2 development team. In the interim, users should consider limiting network exposure for all control system devices and ensure they are not accessible from the Internet.
Workaround
There is currently no known workaround for this vulnerability. The primary mitigation is to update to a patched version as soon as it is available.
CVE Status
Confirmed and published.
Credit
Yash Patel and Dr. Parag Rughani