CVE ID
CVE-2023-33566
Title
Unauthorized Node Injection Vulnerability in ROS2 Foxy Fitzroy
Vulnerability Type
Injection
Severity
TBD (Upon Analysis)
Vendor
The Open Source Robotics Foundation (OSRF)
Products Affected
ROS2 Foxy Fitzroy (ROS_VERSION=2 and ROS_PYTHON_VERSION=3)
Description
An unauthorized node injection vulnerability has been identified in ROS2 Foxy Fitzroy versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. This vulnerability could allow a malicious user to inject malicious ROS2 nodes into the system remotely. Once injected, these nodes could disrupt the normal operations of the system or cause other potentially harmful behavior.
Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious nodes into the system, disrupting regular operations and potentially leading to unauthorized access or control over robotic operations. Depending on the nature and functionality of the affected system, this could have serious implications.
Attack Vector
This vulnerability can be exploited remotely. The specifics of the attack vector are currently undisclosed.
Solution
Users are advised to update to the latest version as soon as it becomes available and monitor advisories from the ROS2 development team. In the interim, users should consider implementing strict access controls to help mitigate potential unauthorized access.
Workaround
There is currently no known workaround for this vulnerability. The primary mitigation is to update to a patched version as soon as it is available.
CVE Status
Confirmed and published.
Credit
Yash Patel and Dr. Parag Rughani