RVD#87: Unauthenticated registration/unregistration with ROS Master API

[aliasbot]

id: 87
title: 'RVD#87: Unauthenticated registration/unregistration with ROS Master API'
type: vulnerability
description: "This vulnerability has previously been disclosed in a variety of peer-reviewed\
  \ articles. Among them and of most relevance is *Dieber, B., Breiling, B., Taurer,\
  \ S., Kacianka, S., Rass, S., & Schartner, P. (2017). Security for the Robot Operating\
  \ System. Robotics and Autonomous Systems, 98, 192-203*.The vulnerability applies\
  \ to the [ROS Master API](http://wiki.ros.org/ROS/Master_API#register.2BAC8-unregister_methods),\
  \  a standardized interface to connect to the centralized hub of the Robot Operating\
  \ System, the master (acting as a server). The ROS Master facilitates discovery\
  \ information to all the nodes in the ROS network. Correspondingly, the Master API\
  \ provides means for topic and service registration, namespace (URI) lookup and\
  \ mechanisms for establishing or finalizing distributed (publish/subscribe) networking\
  \ communications. As described at http://wiki.ros.org/ROS/Master_API#register.2BAC8-unregister_methods,\
  \ there is no authentication enforced within the API. Particularly, for registering\
  \ a new publisher, the API method is as follows:\r\n **registerPublisher(caller_id,\
  \ topic, topic_type, caller_api)**\r\n \r\n Register the caller as a publisher the\
  \ topic.\r\n \r\n Parameters\r\n \r\n *callerid* (str)\r\n \r\n ROS caller ID\r\n\
  \ *topic* (str)\r\n \r\n Fully-qualified name of topic to register.\r\n *topictype*\
  \ (str)\r\n \r\n Datatype for topic. Must be a package-resource name, i.e. the .msg\
  \ name.\r\n *callerapi* (str)\r\n \r\nAPI URI of publisher to register.\r\nReturns\
  \ (int, str, [str])\r\n \r\n (code, statusMessage, subscriberApis)\r\n \r\n List\
  \ of current subscribers of topic in the form of XMLRPC URIs.\r\nThere is no verification\
  \ that the arguments given are valid. This leads to a vulnerability that attackers\
  \ can exploit to register or unregister selected Publishers, Subscribers or Services\
  \ on demand.A few remarks:\r\n- Attack complexity is low due to existing tools that\
  \ allow to exploit this vulnerability\r\n- Scope is the internal network of the\
  \ robot\r\n- No safety implications have been remarked since the vulnerability affects\
  \ a robot (software) component and not a complete system by itself. It should be\
  \ noted however, that a  robotic system using a vulnerable ROS setup  could easily\
  \ cause human harm and thereby affect safety.Further details about exploitation\
  \ provided below."
cwe: CWE-Missing Authentication for Critical Function (CWE-306)
cve: None
keywords:
- components software
- 'robot component: ROS'
- 'severity: high'
- 'state: new'
- vulnerability
system: ROS
vendor: N/A
severity:
  rvss-score: 7.1
  rvss-vector: RVSS:1.0/AV:IN/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:N/A:H/H:N
  severity-description: high
  cvss-score: 9.1
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
links:
- https://github.com/aliasrobotics/RVD/issues/87
flaw:
  phase: unknown
  specificity: N/A
  architectural-location: N/A
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: '2018-10-20'
  detected-by: ''
  detected-by-method: N/A
  date-reported: '2018-10-20'
  reported-by: ''
  reported-by-relationship: N/A
  issue: https://github.com/aliasrobotics/RVD/issues/87
  reproducibility: ''
  trace: null
  reproduction: ''
  reproduction-image: ''
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: ''

[vmayoral]

Updated CWE-ID.

[vmayoral]

Demonstration of the exploitation of this vulnerability available at https://github.com/vmayoral/basic_robot_cybersecurity/tree/master/robot_exploitation/tutorial11.

[github-actions]

Feedback (automatically generated):

• FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[github-actions]

Feedback (automatically generated):

• FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.