Eprosima Micro-XRCE-DDS Agent Denial-of-Service Vulnerability via Improper Boolean Deserialization

A denial-of-service vulnerability has been identified in Eprosima Micro-XRCE-DDS Agent version 3.0.1. This issue allows remote attackers to cause the agent to crash by sending packets with invalid boolean values. The agent relies on the FastCdr library for data deserialization, and when a boolean field contains a value other than 0 or 1, FastCdr throws an exception. In this version, the exception is not properly handled, leading to a crash and potential stability issues.

Impact

Exploitation of this vulnerability causes the agent to crash, disrupting its normal operation and availability.

Reproduction

The vulnerability can be reproduced by sending a packet that includes a boolean field with an invalid value, such as 2 or 255. This can be done by modifying a client to send such values manually or by fuzzing the connection. The issue occurs when the agent receives a 'CREATE_CLIENT' submessage with an invalid boolean value in the 'm_properties_flag' field, which is then deserialized and causes an uncaught exception that crashes the agent.

Remediation

The vulnerability has been acknowledged and patched by the vendor. The patch involves catching the 'BadParamException' exception during the deserialization of boolean fields, preventing the agent from crashing.