CVE-2024-25198 - Unsafe Pointer Order in Open Robotics ROS2 and Nav2 Humble Causing Use-After-Free Vulnerability

As an essential element of the open-source community, Open Robotics aims to keep its software safe and secure. However, during the routine monitoring and software analysis, a concerning issue has emerged. This post is dedicated to addressing CVE-2024-25198, a use-after-free vulnerability found in the Open Robotics Robotic Operating System 2 (ROS2) and Nav2 humble versions.

If you're using ROS2 and Nav2 humble in your projects, it's crucial to be aware of this troublesome vulnerability to ensure optimal robot performance and overall system security. We will discuss the vulnerability in detail, walk you through the affected code, and provide mitigation options accompanied by relevant updates.

What is CVE-2024-25198?

CVE-2024-25198 refers to a use-after-free vulnerability caused by an incorrect pointer order in laser_scan_filter_.reset() and tf_listener_.reset() methods found in amcl_node.cpp file in ROS2 and Nav2 humble versions.

The Use-After-Free vulnerability occurs when a pointer to an object is used (dereferenced) even after the object has been deleted. This vulnerability can result in compromised system security, unauthorized access, unforeseen crashes, or corrupt data.

Affected code in amcl_node.cpp

The vulnerability lies within the amcl_node.cpp file. An inappropriate order of resetting laser_scan_filter_ and tf_listener_ pointers allows the possibility of a use-after-free scenario. Here's an example of the flawed code:

AmclNode::~AmclNode()
{
  // Incorrect pointer order in resets
  laser_scan_filter_.reset();
  tf_listener_.reset(); // tf_listener_.reset() should be called before laser_scan_filter_.reset()
}

Exploit Details

An attacker who successfully exploits this vulnerability can cause the software to crash or execute arbitrary code in the context of the application.

Due to the use-after-free vulnerability, it's possible for an attacker to manipulate the system memory in a way that enables them to execute arbitrary code in the context of the affected application.

For in-depth information about the vulnerability, refer to the following resources

1. Original CVE details: CVE-2024-25198
2. Open Robotics ROS2 GitHub: https://github.com/ros2/ros2
3. Nav2 Humble GitHub: https://github.com/ros-planning/navigation2

How to fix CVE-2024-25198

To resolve this vulnerability, it is crucial to change the order of pointers in amcl_node.cpp. The correct order must call tf_listener_.reset() before laser_scan_filter_.reset(). The updated code snippet should look like this:

AmclNode::~AmclNode()
{
  // Correct pointer order in resets
  tf_listener_.reset();
  laser_scan_filter_.reset();
}

We recommend upgrading your ROS2 and Nav2 humble versions to the latest patched versions. To take advantage of this fix, navigate to the official repos and grab the updated software to ensure your system's security:

1. Update ROS2: https://github.com/ros2/ros2
2. Update Nav2 Humble: https://github.com/ros-planning/navigation2

Conclusion

CVE-2024-25198 represents a severe use-after-free vulnerability that can be found in ROS2 and Nav2 humble versions. It is crucial to understand the potential risk and implement the appropriate steps to address this issue. By updating your robot software to the latest patched version, you can ensure its safety, security, and stability. Stay informed and keep your robots secure and running efficiently.

Timeline

Published on: 02/20/2024 14:15:09 UTC
Last modified on: 02/20/2024 19:50:53 UTC