CVE-2023-24011
Published: 09 January 2025
Summary
CVE-2023-24011 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-24011 is a vulnerability arising from a non-compliant implementation of permission document verification in some DDS vendors, specifically due to improper use of the OpenSSL PKCS7_verify function for validating S/MIME signatures. It affects secure DDS databus systems, enabling exploitation through vulnerable attributes in the configuration of PKCS#7 certificate validation. Components impacted include DDS Participants and ROS 2 Nodes that rely on these mechanisms.
The attack scenario involves an unauthenticated attacker over the network (AV:N/AC:L/PR:N) crafting malicious DDS Participants or ROS 2 Nodes equipped with valid certificates. Successful exploitation grants full control over the targeted secure DDS databus system, with a CVSS v3.1 score of 8.2 (C:H/I:N/A:L/S:U), primarily exposing sensitive information (CWE-200) while causing limited availability impact.
Advisories and related discussions are available at https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d and https://github.com/ros2/sros2/issues/282, which provide further details on the issue in the context of DDS and ROS 2 implementations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-28075
Vulnerability details
An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This…
more
is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a network-exposed DDS/ROS2 permission validation flaw (PKCS7/S/MIME) enabling full system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates validation of public key certificates prior to use, directly addressing the improper PKCS7_verify implementation flaw in certificate and permission document verification.
Requires verification of component authenticity prior to or during connections, preventing maliciously crafted DDS Participants or ROS 2 Nodes from compromising the databus.
Ensures timely flaw remediation to patch the non-compliant OpenSSL PKCS7_verify usage exploited by attackers with valid certificates.