CVE-2024-38921 – CVE-2024-38921 is a critical use-after-free vul... (How to Fix)

Q: What is the severity of CVE-2024-38921?

CVE-2024-38921 has a CVSS score of 9.8 (CRITICAL). CVE-2024-38921 is a critical use-after-free vulnerability in ROS2 Nav2's AMCL component that allows remote attackers to potentially execute arbitrary code or crash the navigation system by sending specially crafted dynamic parameter change requests. This affects ROS2 Humble distributions with Nav2 navigation systems deployed in robots, autonomous vehicles, and industrial automation systems.

📋 TL;DR

CVE-2024-38921 is a critical use-after-free vulnerability in ROS2 Nav2's AMCL component that allows remote attackers to potentially execute arbitrary code or crash the navigation system by sending specially crafted dynamic parameter change requests. This affects ROS2 Humble distributions with Nav2 navigation systems deployed in robots, autonomous vehicles, and industrial automation systems.

💻 Affected Systems

Products:

ROS2 (Robot Operating System 2)
Nav2 (Navigation2)

Versions: ROS2 Humble distributions with vulnerable Nav2 versions

Operating Systems: Linux (Ubuntu 22.04 recommended for ROS2 Humble)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where nav2_amcl process is running with dynamic parameter reconfiguration enabled. ROS2 Galactic and earlier versions may also be affected but require verification.

📦 What is this software?

Robot Operating System by Openrobotics

View all CVEs affecting Robot Operating System →

Robot Operating System by Openrobotics

View all CVEs affecting Robot Operating System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, robot hijacking, or safety-critical system failure in autonomous vehicles.

🟠

Likely Case

Service disruption through process crashes, navigation system failures, or denial of service affecting robot operations.

🟢

If Mitigated

Limited impact with proper network segmentation and parameter validation, potentially only causing service restarts.

🌐 Internet-Facing: HIGH - The vulnerability can be triggered remotely via network requests without authentication.

🏢 Internal Only: HIGH - Even internally, any system with network access to the ROS2 node can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specific dynamic parameter change request to the vulnerable process, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in navigation2 pull request #4397

Vendor Advisory: https://github.com/ros-navigation/navigation2/issues/4379

Restart Required: Yes

Instructions:

1. Update navigation2 package to include fix from PR #4397. 2. Rebuild ROS2 workspace. 3. Restart all nav2_amcl processes and dependent nodes.

🔧 Temporary Workarounds

Disable Dynamic Parameter Reconfiguration

linux

Prevent parameter changes at runtime to block the attack vector

ros2 param set /amcl use_sim_time false
Configure launch files to disable dynamic parameters

Network Segmentation

linux

Restrict network access to ROS2 nodes

sudo ufw deny from any to any port 11311
Configure ROS_DOMAIN_ID isolation

🧯 If You Can't Patch

Implement strict network access controls to isolate ROS2 nodes from untrusted networks
Monitor and alert on unexpected parameter change requests to /amcl z_rand parameter

🔍 How to Verify

Check if Vulnerable:

Check if nav2_amcl process is running and if navigation2 package version predates fix from PR #4397

Check Version:

ros2 pkg list | grep navigation2 && apt show ros-humble-navigation2

Verify Fix Applied:

Verify navigation2 package includes commit from PR #4397 and test parameter changes don't crash process

📡 Detection & Monitoring

Log Indicators:

nav2_amcl process crashes
Segmentation fault errors in ROS2 logs
Unexpected parameter change requests to /amcl

Network Indicators:

Unusual parameter change requests to port 11311 or ROS2 DDS ports
Traffic patterns targeting /amcl z_rand parameter

SIEM Query:

process_name:"nav2_amcl" AND (event_type:crash OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2024-38921

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 6, 2024

Last Updated: December 17, 2024

🔗 References

https://github.com/GoesM/ROS-CVE-CNVDs Third Party Advisory
https://github.com/ros-navigation/navigation2/issues/4379 Exploit,Issue Tracking
https://github.com/ros-navigation/navigation2/pull/4397 Third Party Advisory
https://github.com/GoesM/ROS-CVE-CNVDs Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38921, you might also want to check these: