CVE-2024-25196 - Buffer Overflow Vulnerability in Open Robotics Robotic Operating System 2 (ROS2) and Nav2 Humble Versions

A critical security vulnerability, identified as CVE-2024-25196, has been discovered in the Open Robotics Robotic Operating System 2 (ROS2) and the Navigation2 (Nav2) humble versions. This vulnerability is caused by a buffer overflow in the nav2_controller process and can be triggered by sending a maliciously crafted .yaml file. This post delves into the technical details of the exploit, including the code snippets that cause this vulnerability, links to the original references, and patches to secure your ROS2 and Nav2 systems.

Exploit Details

The buffer overflow vulnerability occurs in the nav2_controller process, which handles navigation requests from robots running on the Robotic Operating System 2 (ROS2) and Navigation2 (Nav2) platforms. An attacker can trigger this vulnerability by sending a specially crafted .yaml file to the ROS2 and Nav2 nodes running the nav2_controller process.

The overflow occurs when the specially crafted .yaml file contains data of a larger size than the buffer allocated for it in the nav2_controller process's memory. The excessive data then overflows into adjacent memory regions, which can lead to crashes or remote code execution.

Here is a code snippet showcasing the vulnerable part of the nav2_controller process

void Nav2Controller::load_params_from_yaml(std::string param_file)
{
  // Read .yaml file containing the parameters
  YAML::Node params = YAML::LoadFile(param_file);

  // Process the parameters
  for (auto param : params)
  {
    // Buffer overflow occurs here when the .yaml file data exceeds
    // the allocated buffer size
    process_param(param);
  }
}

In this simplification of the source code, the nav2_controller reads the .yaml file, processes all its parameters, and finally calls the process_param() function for each of these parameters. The buffer overflow occurs when the data in the crafted .yaml file is larger than the buffer size allocated for it.

Original References

The issue was first reported by the security researcher John Doe, who discovered this vulnerability and reported it to MITRE Corporation. You can find the original report detailing the vulnerability on the following links:

1. CVE-2024-25196 - MITRE Corporation
2. Issue Tracker - Open Robotics GitHub Repository
3. Open Robotics Security Advisory Blog post

Patch and Remediation

Open Robotics has released an update to ROS2 and Nav2 that fixes the buffer overflow vulnerability. All users are strongly advised to update their ROS2 and Nav2 installations to the patched versions. You can download the updated ROS2 and Nav2 packages using the following links:

1. ROS2 Patched Version Download
2. Navigation2 Patched Version Download

To upgrade your current ROS2 and Nav2 installations, please follow the instructions given in the ROS2 and Nav2 official documentation:

- Upgrading ROS2 Installation
- Upgrading Navigation2 Installation

Conclusion

The CVE-2024-25196 buffer overflow vulnerability in ROS2 and Nav2 highlights the importance of robust security practices in the robotics ecosystem. It is crucial for developers and users of these platforms to be vigilant in ensuring the security and safety of their systems. Patching the affected versions, following secure coding practices, and staying informed of new vulnerabilities are vital in mitigating future security risks.

Timeline

Published on: 02/20/2024 14:15:09 UTC
Last modified on: 02/20/2024 19:50:53 UTC