Eclipse Cyclone DDS Integer Underflow Vulnerability in Deserialization Methods Allowing Out-of-Bounds Heap Memory Read

A vulnerability exists in Eclipse Cyclone DDS versions prior to 0.10.5, where an integer underflow during the deserialization process can be exploited by any unauthenticated user to read out-of-bounds memory on the heap. This issue arises in the 'DDS_Security_Deserialize_OctetSeq' and 'DDS_Security_Deserialize_String' methods. The underflow occurs when the deserializer incorrectly calculates the remaining bytes, allowing the process to access memory beyond the intended buffer. As a result, sensitive data such as cryptographic keys or pointers revealing the memory layout could be exposed, potentially leading to thread crashes or denial-of-service conditions.

Impact

Exploitation of this vulnerability could result in the unauthorized reading of sensitive data, such as cryptographic key material, or pointers that disclose the memory layout, which could be manipulated to cause a thread crash or other denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by crafting a serialized input that exploits the integer underflow in the deserialization methods. This can be done by creating a packet that includes a length value greater than the actual data provided, particularly in the 'master_receiver_specific_key' field, which can be manipulated to allocate excessive memory. The deserialization process will then read beyond the allocated buffer, accessing out-of-bounds heap memory.

Remediation

Users can upgrade to Eclipse Cyclone DDS version 0.10.5 or later to address this vulnerability.