eProsima Fast DDS Heap Buffer Overflow Vulnerability in RTPS DATA_FRAG Reception Path Allowing Denial-of-Service and Potential Remote Code Execution

A heap buffer overflow vulnerability has been identified in eProsima Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard. This vulnerability exists in versions prior to 3.4.1, 3.3.1, and 2.6.11, specifically within the Real-Time Publish-Subscribe (RTPS) DATA_FRAG receive path. An unauthenticated sender can exploit this vulnerability by sending a malformed RTPS DATA_FRAG packet with crafted 'fragmentSize' and 'sampleSize' values that disrupt internal assumptions. The vulnerability arises from a 4-byte alignment requirement during fragment metadata initialization, which allows the code to write beyond the allocated payload buffer. This overflow can lead to an immediate crash, causing a denial-of-service condition, and potentially allow for memory corruption with a risk of remote code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the application. However, the memory corruption resulting from the heap buffer overflow introduces a risk of remote code execution.

Reproduction

The vulnerability can be reproduced by sending a malformed RTPS DATA_FRAG packet over UDP to a Fast DDS participant. The packet must be crafted to include a 'fragmentSize' of less than 4 bytes and a 'sampleSize' that exceeds the maximum payload size, which is approximately 4GB. This can be done using a custom application or a network tool that allows for the manipulation of RTPS packet contents. Once the packet is received, the Fast DDS application will crash, demonstrating the denial-of-service impact. Additionally, the memory corruption can be exploited to execute arbitrary code remotely, depending on the specific payload used.

Remediation

Users can upgrade to Fast DDS versions 3.4.1, 3.3.1, or 2.6.11, where this vulnerability has been fixed.