CVE-2023-33566
Unauthorized Node Injection Vulnerability in ROS2 Foxy Fitzroy
Injection
Critical (Base Score: 9.8)
The Open Source Robotics Foundation (OSRF)
ROS2 Foxy Fitzroy (ROS_VERSION=2 and ROS_PYTHON_VERSION=3)
An unauthorized node injection vulnerability has been identified in ROS2 Foxy Fitzroy versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. This vulnerability could allow a malicious user to inject malicious ROS2 nodes into the system remotely. Once injected, these nodes could disrupt the normal operations of the system or cause other potentially harmful behavior.
Successful exploitation of this vulnerability could allow an attacker to inject malicious nodes into the system, disrupting regular operations and potentially leading to unauthorized access or control over robotic operations. Depending on the nature and functionality of the affected system, this could have serious implications.
This vulnerability can be exploited remotely. The specifics of the attack vector are currently undisclosed.
Users are advised to update to the latest version as soon as it becomes available and monitor advisories from the ROS2 development team. In the interim, users should consider implementing strict access controls to help mitigate potential unauthorized access.
There is currently no known workaround for this vulnerability. The primary mitigation is to update to a patched version as soon as it is available.
Confirmed and published.
Yash Patel and Dr. Parag Rughani