CVE-2024-38923 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-38923?

CVE-2024-38923 has a CVSS score of 9.8 (CRITICAL). This CVE describes a use-after-free vulnerability in ROS2 Nav2's AMCL process that can be triggered remotely by sending a request to change the dynamic parameter '/amcl odom_frame_id'. Attackers can exploit this to potentially execute arbitrary code or crash the nav2_amcl service. Systems running ROS2 Humble with Nav2 are affected.

📋 TL;DR

This CVE describes a use-after-free vulnerability in ROS2 Nav2's AMCL process that can be triggered remotely by sending a request to change the dynamic parameter '/amcl odom_frame_id'. Attackers can exploit this to potentially execute arbitrary code or crash the nav2_amcl service. Systems running ROS2 Humble with Nav2 are affected.

💻 Affected Systems

Products:

ROS2 (Robot Operating System 2)
Nav2 (Navigation2)

Versions: ROS2 Humble versions with Nav2 before the fix

Operating Systems: Linux (Ubuntu 22.04 recommended for ROS2 Humble)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using nav2_amcl with dynamic parameter reconfiguration enabled. The vulnerability exists in the parameter handling code.

📦 What is this software?

Robot Operating System by Openrobotics

View all CVEs affecting Robot Operating System →

Robot Operating System by Openrobotics

View all CVEs affecting Robot Operating System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, privilege escalation, or denial of service affecting robot navigation capabilities.

🟠

Likely Case

Service crash causing navigation failures, potential memory corruption leading to unstable robot behavior.

🟢

If Mitigated

Limited impact if proper network segmentation and parameter validation are in place, potentially just service restart.

🌐 Internet-Facing: HIGH - The vulnerability can be triggered remotely without authentication via ROS2 communication protocols.

🏢 Internal Only: HIGH - Even internally, any compromised node or malicious actor on the network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specific parameter change request via ROS2 communication, which is straightforward for anyone with network access to the ROS2 system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in navigation2 pull request #4397

Vendor Advisory: https://github.com/ros-navigation/navigation2/issues/4379

Restart Required: Yes

Instructions:

1. Update navigation2 package to include pull request #4397. 2. Rebuild ROS2 workspace. 3. Restart nav2_amcl and related navigation services.

🔧 Temporary Workarounds

Disable dynamic parameter reconfiguration

linux

Prevent parameter changes at runtime to block the attack vector

ros2 param set /amcl use_sim_time true
Configure launch files to disable dynamic parameters

Network segmentation

all

Isolate ROS2 network from untrusted systems

Use ROS2 domain IDs to separate networks
Implement firewall rules to restrict ROS2 port access

🧯 If You Can't Patch

Implement strict network access controls to limit who can communicate with the ROS2 system
Monitor for parameter change requests to '/amcl odom_frame_id' and alert on suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if running ROS2 Humble with Nav2 before the fix in PR #4397. Review navigation2 version and commit history.

Check Version:

ros2 pkg list | grep navigation2 && cd $(ros2 pkg prefix navigation2) && git log --oneline -1

Verify Fix Applied:

Verify navigation2 includes commit from PR #4397. Test parameter changes to confirm no crashes occur.

📡 Detection & Monitoring

Log Indicators:

nav2_amcl process crashes
Segmentation faults in nav2 logs
Unexpected parameter change requests

Network Indicators:

ROS2 parameter change requests to '/amcl odom_frame_id' from unexpected sources
Unusual ROS2 topic traffic patterns

SIEM Query:

source="ros2_logs" AND ("segmentation fault" OR "nav2_amcl crashed" OR "parameter /amcl odom_frame_id")

📊 Metadata

CVE ID: CVE-2024-38923

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 6, 2024

Last Updated: December 17, 2024

🔗 References

https://github.com/GoesM/ROS-CVE-CNVDs Third Party Advisory
https://github.com/ros-navigation/navigation2/issues/4379 Exploit,Issue Tracking
https://github.com/ros-navigation/navigation2/pull/4397 Third Party Advisory
https://github.com/ros-navigation/navigation2/issues/4379 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38923, you might also want to check these: