Trend Micro Inc.
Trend Micro Inc.
04/19/2022 | News release | Distributed by Public on 04/19/2022 06:21
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware software technology is responsible for running billions of public and private devices and mechanisms currently in use. DDS is integral in embedded systems that require real-time machine-to-machine communication, facilitating a reliable communication layer between sensors, controllers, and actuators.
This technology is situated at the beginning of the supply chain as a layer that connects, controls, and monitors applications, sensors, and actuators, aimed at maintaining interoperability and fault tolerance. It is used in various critical sectors such as healthcare, transportation, industrial internet of things (IIoT), robotics, aeronautics, and the military, among others. Given these factors, this makes the middleware technology an attractive target for attackers.
We analyzed this software and found multiple security vulnerabilities. This blog lists 13 identified security gaps that were assigned new CVE IDs found in the six most common DDS implementations, mostly concerning deployment. We also show a preview of the security gaps we found in the standard's specification and a summary of our testing procedure. For details on the known vulnerabilities, attack scenarios, and research methodology, read our full paper "A Security Analysis of the Data Distribution Service (DDS) Protocol." All the vulnerabilities found have been disclosed and patched or mitigated by their respective vendors.
New vulnerabilities
We studied six widely used DDS implementations, chosen based on executions' number of users and customers in the critical sectors globally. We also looked at each implementation's real-time publish-subscribe (RTPS) packet, as DDS is dependent on its own lower layer standard protocol.
Notably, we also studied the Robot Operating System 2 (ROS 2) because it uses DDS as its default standard operating system (OS) middleware for all robotics and automation use cases. Given the service's position as a security and operations building block, all vulnerabilities that affect DDS also affect the rest of the software stack, such as RTPS and all ROS 2 instances.
| Product Name | Developer | HQ Region | Open Source | Core Language | Year Developed |
| Fast-DDS | eProsima | EMEA | Apache License 2.0 | C++ | 2014 |
| Cyclone DDS | Eclipse Foundation project, driven by ADLINK | EMEA | Eclipse Public License 2.0 and Eclipse Development License 1.0 | C | 2011 |
| OpenDDS | OCI | NABU | Custom | C++ | 2005 |
| Connext DDS | RTI | NABU | Extensions are open source | C++ | 2005 (NDDS - 1995) |
| CoreDX DDS | TwinOaks | NABU | Not open source | C | 2009 |
| Gurum DDS | GurumNetworks | APAC | Not open source | C |
Table 1. A list of all DDS implementations analyzed for this research.
| MITRE ATT&CK ICS | Attack Surface | Vector | CVE | Scope | CVSS | Weaknesses (CWE) |
|
T0804: Brute Force I/O T0814: DoS T0827: Loss of Control T0880: Loss of Safety T0802: Automated Collection T0846: Remote System Discovery T0856: Spoof of Reporting Message |
Network | RTPS discovery packet | CVE-2021-38425 | Fast-DDS, ROS 2 | 7.5 | CWE-406: Network amplification |
| CVE-2021-38429 | OpenDDS, ROS 2 | 7.5 | ||||
| CVE-2021-38487 | Connext DDS, ROS 2 | 7.5 | ||||
| CVE-2021-43547 | CoreDX DDS, ROS 2 | 7.5 | ||||
| Malformed RTPS packet | CVE-2021-38447 | OpenDDS, ROS 2 | 8.6 | CWE-405: Network amplification | ||
| CVE-2021-38445 | OpenDDS, ROS 2 | 7.0 | CWE-130: Improper handling of length | |||
| CVE-2021-38423 | Gurum DDS, ROS 2 | 8.6 | CWE-131: Incorrect calculation of buffer size | |||
| CVE-2021-38435 | Connext DDS, ROS 2 | 8.6 | ||||
| CVE-2021-38439 | Gurum DDS, ROS 2 | 8.6 | CWE-122: Heap-based buffer overflow | |||
|
T0862: Supply Chain Compromise T0839: Module Firmware T0873: Project File Infection |
Configuration | XML file | CVE-2021-38427 | Connext DDS, ROS 2 | 6.6 | CWE-121: Stack-based buffer overflow |
| CVE-2021-38433 | Connext DDS, ROS 2 | 6.6 | ||||
| CVE-2021-38443 | Cyclone DDS, ROS 2 | 6.6 | CWE-228: Improper handling of syntactically invalid structure | |||
| CVE-2021-38441 | Cyclone DDS, ROS 2 | 6.6 | CWE-123: Write-what-where condition |
Table 2. A summary of our findings across the main DDS implementations and standard specification.
When the security gaps on the network attack surface are exploited, it allows an attacker to perform spoofing, reconnaissance, automated data collection, and denial of service (DoS), affecting the control of an exposed system. Meanwhile, the vulnerabilities we found on the configuration attack surface can be abused to affect the DDS developer or system integrator, potentially compromising the integrity of the software supply chain.
Vulnerabilities in the standard specification
The built-in RTPS discovery protocol is used in peer-to-peer networks to discover the locator of each participant (such as IP address and UDP/TCP port or offset in shared memory). The "chatty" nature of this discovery protocol and the fact that it expects a reply from each contacted participant, paired with easy-to-spoof transport protocols such as the User Datagram Protocol (UDP), make RTPS vulnerable to network reflection and amplification. Confidentiality and authenticity for this data is not protected even with DDS Security, making it possible for an attacker to spoof the information.
| CVE ID | Scope | Partially Mitigated* | BAF |
Percentage of Attack Duration (Total experiment duration = 139s) |
| CVE-2021-38425 | Fast-DDS, ROS 2 | master branch | 9.875 | 100.0 |
| CVE-2021-38429 | OpenDDS, ROS 2 | >= 3.18.1 | 18.68 | 24.17 |
| CVE-2021-38487 | Connext DDS, ROS 2 | >= 6.1.0 | 2.011 | 84.17 |
| CVE-2021-43547 | CoreDX DDS, ROS 2 | > 5.9.1 | 32.82 | 18.14 |
Table 3. The network reflection and amplification vulnerability with bandwidth amplification factor (BAF) is calculated as the ratio between outbound and reflected traffic.
Note: Implementations with less than 100% attack duration likely have a timeout mechanism. (*) A full mitigation will require relevant changes in the RTPS specification.
The longest running node was based on Connext DDS (at 139 seconds), which we kept as a reference. Table 3 shows that the BAF is greater than one, implying there are asymmetric network flows although the values are at the order of magnitude lower than modern amplification attacks (note that Memcached can reach 10,000 to 51,000 BAF). However, the network bandwidth in embedded systems is also lower than, for example, what internet nodes can provide.
An attacker can abuse this built-in discovery feature for remote discovery and fingerprinting. We sent RPTS discovery probes to the entire IPv4 space (except for the no-scan subnets) and received answers from 643 hosts (excluding obvious honeypots). Notably, hosts never stopped sending traffic to us, even if we only sent them a single 288-byte packet.
This new network-reflection vulnerability that we found is not the only instance of a specification-level vulnerability. Security researchers from different organizations have been documenting and creating attack scenarios abusing these vulnerabilities as early as 2015.
Conclusion
Proper supply chain management processes allow contextualization, tracking, and monitoring of new vulnerabilities within different downstream software using a specific library such as DDS. In the case of this middleware technology, DDS is just one of the many critical libraries used in embedded applications that's easy to lose track of. Our paper, "A Security Analysis of the Data Distribution Service (DDS) Protocol," includes short- and long-term mitigation best practices and recommendations, as well as a consideration for adopting a shift-left approach.
We also acknowledge the cooperation and engaging response that some vendors like ADLINK have adopted when we approached them with our findings. As we encourage more DDS researchers, users, and implementors to keep on studying and promoting security awareness for the DDS ecosystem, we hope the level of engagement we received can serve as a model for the software industry.
Download our full paper here.
Tags