eProsima Fast DDS Out-of-Memory Vulnerability in SPDP Packet Processing

A vulnerability in eProsima Fast DDS prior to versions 3.4.1, 3.3.1, and 2.6.11 allows publishers to cause an out-of-memory condition by modifying the DATA Submessage within an SPDP packet. This manipulation leads to a remote termination of the Fast DDS process. The issue arises when the security mode is enabled and the fields 'PID_IDENTITY_TOKEN' or 'PID_PERMISSIONS_TOKEN' are tampered with, specifically by altering the 'vecsize' value read by 'readOctetVector'. This exploitation triggers a 32-bit integer overflow, causing 'std::vector::resize' to request an attacker-controlled size, rapidly depleting system memory and terminating the process.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting system memory, leading to a crash of the Fast DDS process.

Reproduction

The vulnerability can be reproduced by sending an SPDP packet with a modified DATA Submessage that includes tampered 'vecsize' values in the 'PID_IDENTITY_TOKEN' or 'PID_PERMISSIONS_TOKEN' fields. This can be done using a custom publisher that injects the malicious payload into the SPDP packet, taking advantage of the Fast DDS security features.

Remediation

Users can upgrade to eProsima Fast DDS versions 3.4.1, 3.3.1, or 2.6.11 to address this vulnerability.