CVE-2023-39534 – A vulnerability in eprosima Fast DDS allows rem... (How to Fix)

Q: What is the severity of CVE-2023-39534?

CVE-2023-39534 has a CVSS score of 7.5 (HIGH). A vulnerability in eprosima Fast DDS allows remote attackers to cause denial of service by sending a specially crafted GAP submessage that triggers an assertion failure, crashing the FastDDS service. This affects all systems running vulnerable versions of Fast DDS before patched releases. The vulnerability requires network access to the FastDDS service.

📋 TL;DR

A vulnerability in eprosima Fast DDS allows remote attackers to cause denial of service by sending a specially crafted GAP submessage that triggers an assertion failure, crashing the FastDDS service. This affects all systems running vulnerable versions of Fast DDS before patched releases. The vulnerability requires network access to the FastDDS service.

💻 Affected Systems

Products:

eprosima Fast DDS

Versions: All versions before 2.10.0, 2.9.2, and 2.6.5

Operating Systems: All operating systems running Fast DDS

Default Config Vulnerable: ⚠️ Yes

Notes: All FastDDS deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all DDS communications, disrupting critical real-time systems that rely on Fast DDS for data distribution.

🟠

Likely Case

Service crash requiring manual restart, causing temporary disruption to DDS-based applications until service is restored.

🟢

If Mitigated

No impact if patched versions are deployed or if network controls prevent malicious packets from reaching FastDDS services.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires network access, FastDDS services are typically deployed in internal or controlled environments rather than directly internet-facing.

🏢 Internal Only: HIGH - Internal attackers or compromised systems on the same network can exploit this to disrupt critical DDS communications.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept packet capture is publicly available, making exploitation straightforward for attackers with network access to FastDDS services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.0, 2.9.2, or 2.6.5

Vendor Advisory: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp

Restart Required: Yes

Instructions:

1. Identify current Fast DDS version. 2. Upgrade to version 2.10.0, 2.9.2, or 2.6.5 depending on your branch. 3. Recompile applications if using Fast DDS as a library. 4. Restart all Fast DDS services and dependent applications.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Fast DDS services to only trusted systems and applications

iptables -A INPUT -p tcp --dport 7400 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 7400 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with Fast DDS services
Deploy intrusion detection systems to monitor for malformed DDS packets and alert on potential exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Fast DDS version: ldd /path/to/fastdds_application | grep fastrtps or check application dependencies

Check Version:

For compiled applications: strings /path/to/binary | grep -i fastdds; For packages: dpkg -l | grep fastdds or rpm -qa | grep fastdds

Verify Fix Applied:

Verify version is 2.10.0, 2.9.2, or 2.6.5 or higher, and test with sample malformed packets if possible

📡 Detection & Monitoring

Log Indicators:

Fast DDS service crashes
Assertion failure messages in logs
Unexpected service termination

Network Indicators:

Malformed GAP submessages in DDS traffic
Unusual packet patterns to DDS ports (typically 7400)

SIEM Query:

source="fastdds.log" AND ("assertion" OR "crash" OR "terminated")

📊 Metadata

CVE ID: CVE-2023-39534

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: August 11, 2023

Last Updated: November 21, 2024

🔗 References

https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap Third Party Advisory
https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252 Third Party Advisory
https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863 Third Party Advisory
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp Third Party Advisory
https://www.debian.org/security/2023/dsa-5481 Third Party Advisory
https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap Third Party Advisory
https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252 Third Party Advisory
https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863 Third Party Advisory
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp Third Party Advisory
https://www.debian.org/security/2023/dsa-5481 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39534, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fast Dds by Eprosima

Fast Dds by Eprosima

Fast Dds by Eprosima

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities