eProsima Fast DDS Out-of-Memory Vulnerability in SPDP Packet Processing

A vulnerability in eProsima Fast DDS prior to versions 3.4.1, 3.3.1, and 2.6.11 allows publishers to cause an out-of-memory condition by tampering with the DATA Submessage of SPDP packets. This manipulation, particularly of the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN fields, leads to an integer overflow during the deserialization process, causing a memory exhaustion that remotely terminates the Fast DDS application. The issue arises when the security mode is enabled and the length field of certain properties is altered, creating a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Fast DDS application to run out of memory and terminate unexpectedly.

Reproduction

The vulnerability can be reproduced by sending a SPDP packet from a publisher with the security mode enabled, and modifying the DATA Submessage to include an altered length field in the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN properties. This can be done using a custom application or a network tool that allows for the injection of maliciously crafted packets. Once the packet is received by the Fast DDS participant, the application will crash due to the induced out-of-memory condition.

Remediation

Users can upgrade to eProsima Fast DDS versions 3.4.1, 3.3.1, or 2.6.11, where this vulnerability has been fixed.