Robot Operating System YAML Deserialization Vulnerability in dynparam Tool

A YAML deserialization vulnerability exists in the Robot Operating System (ROS) 'dynparam' command-line tool, which is used to manage parameters of dynamically configurable nodes. This vulnerability affects ROS distributions Noetic and earlier. The issue arises from the 'dynparam' script processing unsanitized parameter input with the unsafe 'yaml.load()' function, allowing for the creation and execution of arbitrary Python objects. As a result, local or remote users can craft inputs that execute arbitrary Python code. This vulnerability has been patched in ROS Noetic by replacing 'yaml.load()' with 'yaml.safe_load()' and is available in the latest version of the 'dynamic_reconfigure' package.

Impact

Exploitation of this vulnerability allows for arbitrary Python code execution, which could lead to unauthorized actions or access within the system.

Reproduction

The vulnerability can be reproduced by using the 'dynparam' tool to load a YAML file containing crafted input that exploits the unsafe 'yaml.load()' function. This input can be designed to execute arbitrary commands by, for example, calling the 'os.system' module. The current 'dynparam' code will execute this input, demonstrating the vulnerability by returning the contents of the local '/etc/passwd' file. After the vulnerability is patched, the same input will be blocked by the 'yaml.safe_load' function, preventing the execution of arbitrary code.

Remediation

Users can update to the latest version of the 'dynamic_reconfigure' package in ROS Noetic, where this vulnerability has been fixed. For ROS distributions after Noetic, the 'dynamic_reconfigure' package will need to be manually patched or the vulnerability addressed through other means.