OpenDDS and ROS 2 DDS Vulnerability in PKCS#7 Certificate Validation Allowing Permission Document Forgery

A vulnerability exists in certain Data Distribution Service (DDS) implementations, specifically in OpenDDS and ROS 2 nodes using Fast-DDS or CycloneDDS, due to a non-compliant handling of PKCS#7 certificate validation. This flaw allows an attacker to create malicious DDS participants with valid certificates that can manipulate the DDS chain of trust. By exploiting this vulnerability, the attacker can forge permissions documents, potentially gaining unauthorized access or control within the DDS environment.

Impact

Exploitation of this vulnerability allows malicious DDS participants to sign their own permissions documents, bypassing security controls and potentially gaining unauthorized access to DDS topics and services.

Reproduction

The vulnerability can be reproduced by creating a DDS participant (ROS 2 node) that is allowed to publish but not to subscribe to certain topics. After running the node with the correct permissions, the participant can modify its permissions document to grant itself additional rights, such as subscribing to topics it was previously restricted from accessing. This is done by re-signing the altered permissions document with the participant's own certificate, taking advantage of the flawed validation process that accepts the signature due to the improper handling of certificate authorities.

Remediation

The issue can be addressed by separating the roles of Identity CA and Permissions CA in the DDS security keystore, ensuring that each CA is distinct and cannot be exploited to forge permissions documents.