Researchers have discovered a number of serious vulnerabilities in several proprietary and open-source implementations of the data distribution service (DDS) standard, some of which can lead to remote code execution.
Seven implementations of the DDS standard are affected, including the Eclipse Cyclone DDS, eProsima Fast DDS, Gurum DDS, and Twin Oaks Computing CoreDX DDS. The DDS standard is an open specification designed to create a model for machine-to-machine communications in real time and embedded systems.
The most serious vulnerabilities lie in the Gurum DDS, which contains two separate buffer overflows. One of the flaws is a heap buffer overflow (CVE-2021-38439) that can allow a remote attacker to run arbitrary code.
“All versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code,” an advisory from the Cybersecurity and Infrastructure Security Agency says.
The Eclipse Cyclone DDS has two vulnerabilities that can allow an attacker to write arbitrary code to the system’s XML parser. Both flaws are present in versions prior to 0.8.0. Eclipse has released an updated version of the system to address the bugs.
The RTI Connext DDS Professional and DDS Secure both contain two individual stack buffer overflows. Both bugs can allow a local attacker to execute arbitrary code on vulnerable implementations. The flaws affect versions 4.2.x through 6.1.0. Those versions also are vulnerable to a classic buffer overflow and a separate network amplification bug.
“RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure,” the CISA advisory says.
RTI has released updated versions of the two affected products to address the vulnerabilities.
Researchers from Trend Micro Research discovered the vulnerabilities and reported them to CISA.