CVE-2024-25199: Exploiting Inappropriate Pointer Order in Open Robotics Robotic Operating System 2 and Nav2 Humble

The Open Robotics Robotic Operating System 2 (ROS2) and Nav2 Humble versions contain a vulnerability identified as CVE-2024-25199. This post will explore the vulnerable code details, exploit its behavior, and provide links to the original references. The vulnerability lies in the inappropriate pointer order of map_sub_ and map_free(map_) functions in amcl_node.cpp file, which can lead to a use-after-free issue.

Vulnerable Code Snippet

The vulnerability can be found in the amcl_node.cpp file. Below is the code snippet showcasing the vulnerable code section.

// amcl_node.cpp
void 
AmclNode::freeMapDependentMemory()
{
  if (map_ != NULL) {
    map_free(map_);
    map_ = NULL;
  }
  if (pf_ != NULL) {
     pf_free(pf_);
     pf_ = NULL;
  }
}

void 
AmclNode::mapReceived(const nav_msgs::msg::OccupancyGrid::SharedPtr msg)
{
  std::lock_guard<std::recursive_mutex> cfl(configuration_mutex_);

  // Deallocate memory of current map and potentially the particle filter's occupancy grid
  freeMapDependentMemory();

  ...

  //  Create a new map (workspace for algorithms)
  // Creating a copy of the map with resized dimensions
  map_ = convertMap(msg);

  ...
}

In the above code snippet, we can see that the map_ pointer is freed by calling the map_free(map_) function inside the freeMapDependentMemory() function.

Exploit Details

When the mapReceived() function is called, it deallocates the memory for the map_ pointer while acquiring a lock on the configuration_mutex_. Subsequently, it creates a new map with the convertMap(msg) function. The vulnerability lies in the fact that the map_sub_ pointer still refers to the original map message data even after map_ is freed.

The following steps outline how an attacker can exploit this vulnerability to achieve a use-after-free:

The target ROS2 environment receives this message and calls the mapReceived() function.

3. Inside the mapReceived() function, the freeMapDependentMemory() is called, which frees the map_ pointer.

However, the map_sub_ pointer still points to the just-freed map_ memory.

5. The attacker further manipulates the environment to force the usage of the map_sub_ pointer, causing a use-after-free situation.

The use-after-free vulnerability can potentially crash the system or, in worst-case scenarios, give the attacker remote code execution capabilities within the target ROS2 environment.

Consider checking out the following links for more information about this security vulnerability

1. CVE-2024-25199 - MITRE's official CVE webpage for this vulnerability, outlining the affected product versions, attack vectors, and other relevant details.
2. Open Robotics ROS2 Security Advisory - Open Robotics' official security advisory highlighting this and other security issues fixed in recent ROS2 versions.
3. ROS2 Patches - Tracking the latest patches and updates for ROS2, helping users stay updated on recent bug fixes and improvements.

As a responsible owner of a ROS2 system, it is advised to stay vigilant and up-to-date with the latest security patches and updates. The ROS2 community and Open Robotics are committed to ensuring the safety of the robotic ecosystem, and understanding the vulnerability details in CVE-2024-25199 is an essential step in protecting your system from such potential threats.

Timeline

Published on: 02/20/2024 14:15:09 UTC
Last modified on: 02/20/2024 19:50:53 UTC