eProsima Fast DDS Out-of-Memory Vulnerability in SPDP Packet Processing

A vulnerability in eProsima Fast DDS prior to versions 3.4.1, 3.3.1, and 2.6.11 allows publishers to cause an out-of-memory condition by tampering with the DATA Submessage of SPDP packets. This manipulation leads to an integer overflow during the deserialization process, particularly when the length field of certain tokens is altered. The resulting overflow triggers an out-of-memory condition, causing a remote termination of the Fast DDS process.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting memory resources, leading to a crash of the Fast DDS application.

Reproduction

The vulnerability can be reproduced by sending a SPDP packet with a modified DATA Submessage that includes an altered length field in the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN. This can be done using a custom application or a network tool that allows for the manipulation of packet contents. Once the modified packet is received by a Fast DDS participant with security enabled, the out-of-memory condition will be triggered, causing the application to crash.

Remediation

Users can upgrade to eProsima Fast DDS versions 3.4.1, 3.3.1, or 2.6.11 to address this vulnerability.