SB2023082217 - Reachable Assertion in eProsima Fast DDS
Published: August 22, 2023
Security Bulletin ID
SB2023082217
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Reachable Assertion (CVE-ID: CVE-2023-39534)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing malformed GAP submessages. A remote attacker can send specially crafted traffic to the system and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap
- https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp
- https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863
- https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252
- https://www.debian.org/security/2023/dsa-5481