CVE-2021-37146 – CVE-2021-37146 is an infinite loop vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-37146?

CVE-2021-37146 has a CVSS score of 7.5 (HIGH). CVE-2021-37146 is an infinite loop vulnerability in the XMLRPC server of Open Robotics ros_comm package that allows remote attackers to cause Denial of Service via crafted XMLRPC calls. This affects ROS Melodic through 1.4.11 and ROS Noetic through 1.15.11, impacting robotic systems using these ROS distributions.

📋 TL;DR

CVE-2021-37146 is an infinite loop vulnerability in the XMLRPC server of Open Robotics ros_comm package that allows remote attackers to cause Denial of Service via crafted XMLRPC calls. This affects ROS Melodic through 1.4.11 and ROS Noetic through 1.15.11, impacting robotic systems using these ROS distributions.

💻 Affected Systems

Products:

Open Robotics ROS Melodic
Open Robotics ROS Noetic

Versions: ROS Melodic through 1.4.11, ROS Noetic through 1.15.11

Operating Systems: Linux (Ubuntu 18.04/Bionic for Melodic, Ubuntu 20.04/Focal for Noetic)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using ros_comm package with XMLRPC server enabled (default configuration).

📦 What is this software?

Ros Comm by Ros

View all CVEs affecting Ros Comm →

Ros Comm by Ros

View all CVEs affecting Ros Comm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of ROS communication nodes, potentially halting robotic operations and causing system downtime.

🟠

Likely Case

Degraded performance or temporary unavailability of ROS communication services until manual restart.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring allowing quick detection and response.

🌐 Internet-Facing: HIGH - Remote attackers can exploit without authentication via network access.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit, but requires network access to ROS nodes.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted XMLRPC calls to vulnerable ROS nodes, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ROS Melodic 1.4.12+, ROS Noetic 1.15.12+

Vendor Advisory: https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446

Restart Required: Yes

Instructions:

1. Update ROS packages: sudo apt update && sudo apt upgrade ros-melodic-ros-comm (or ros-noetic-ros-comm). 2. Restart affected ROS nodes and master. 3. Verify version with rospack find ros_comm.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to ROS XMLRPC ports (default 11311) using firewall rules.

sudo ufw deny 11311
sudo iptables -A INPUT -p tcp --dport 11311 -j DROP

Disable XMLRPC Server

all

Configure ROS to use alternative communication methods if XMLRPC is not required.

export ROS_MASTER_URI=http://localhost:11311 (restrict to localhost)

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach ROS XMLRPC ports
Monitor ROS node processes for abnormal CPU usage indicating infinite loops

🔍 How to Verify

Check if Vulnerable:

Check ros_comm package version: dpkg -l | grep ros-comm

Check Version:

dpkg -l | grep ros-comm || rospack find ros_comm

Verify Fix Applied:

Verify version is Melodic >=1.4.12 or Noetic >=1.15.12: rospack find ros_comm

📡 Detection & Monitoring

Log Indicators:

High CPU usage by ROS nodes
XMLRPC connection errors in ROS logs
Repeated connection attempts to port 11311

Network Indicators:

Unusual traffic patterns to ROS XMLRPC port 11311
Malformed XMLRPC requests

SIEM Query:

source="ros_logs" AND ("high cpu" OR "xmlrpc error") OR destination_port=11311 AND protocol="TCP"

📊 Metadata

CVE ID: CVE-2021-37146

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: September 28, 2021

Last Updated: November 21, 2024

🔗 References

https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446 Vendor Advisory
https://discourse.ros.org/t/new-packages-for-noetic-2021-09-27/22447 Vendor Advisory
https://github.com/ros/ros_comm Third Party Advisory
https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446 Vendor Advisory
https://discourse.ros.org/t/new-packages-for-noetic-2021-09-27/22447 Vendor Advisory
https://github.com/ros/ros_comm Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37146, you might also want to check these: