Eprosima Micro-XRCE-DDS Agent Denial-of-Service Vulnerability via Crafted MTU Length Packet
Vulnerability
A denial-of-service vulnerability has been identified in Eprosima Micro-XRCE-DDS Agent version 3.0.1. This issue allows remote attackers to cause a crash by sending a `CREATE_CLIENT` packet with a zero-length MTU value. The agent, upon receiving this invalid MTU, attempts to allocate a message buffer of size zero, leading to a crash. This vulnerability arises because the agent does not properly validate the MTU length before performing memory allocations.
Impact
Exploitation of this vulnerability leads to a crash of the Micro-XRCE-DDS Agent, causing a denial-of-service condition.
Reproduction
To reproduce this vulnerability, send a `CREATE_CLIENT` packet with an MTU length of zero. Following this, send a `HEARTBEAT` message to trigger the response allocation process. The agent will crash due to the invalid memory allocation.
Remediation
This vulnerability has been acknowledged and patched by the vendor. The patch involves validating the MTU length during client creation and logging an error if an invalid value is detected.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.