eProsima Fast DDS Out-of-Memory Vulnerability in ParticipantGenericMessage Deserialization

A memory exhaustion vulnerability has been identified in eProsima Fast DDS, specifically in versions prior to 3.4.1, 3.3.1, and 2.6.11. The issue arises within the ParticipantGenericMessage component, which is responsible for handling DDS Security control messages. The vulnerability is triggered during the deserialization of the message_data property, where the parser fails to perform adequate structural validation before processing. This oversight allows for the potential introduction of malformed data that can be exploited to cause a denial-of-service condition by exhausting system resources and terminating the process.

Impact

Exploitation of this vulnerability can lead to a process termination due to an out-of-memory condition, causing a denial-of-service effect.

Reproduction

The vulnerability can be reproduced by sending a crafted ParticipantGenericMessage that exploits the deserialization process. This can be done using the Fast DDS library's UDP transport, by injecting a datagram that includes duplicate or malformed DataHolderSeq data. The Fast DDS blackbox test suite includes a test that replicates this scenario, demonstrating the vulnerability by sending such a malicious datagram to a participant with security enabled.

Remediation

Users can upgrade to eProsima Fast DDS versions 3.4.1, 3.3.1, or 2.6.11, where this vulnerability has been fixed.