CVE-2021-38445
published 2022-05-05CVE-2021-38445: OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.58%
83.3th percentile
OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| objectcomputing | opendds | < 3.18.1 | 3.18.1 |
| oci | opendds | >= unspecified < 3.18.1 | 3.18.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect RTPS RTPSSubMessage_DATA packets where the PID_BUILTIN_ENDPOINT_QOS parameter Length field is set to 4 null bytes (\x00\x00\x00\x00), which is the exploit trigger for CVE-2021-38445 against OpenDDS. ↗
- →Monitor for anomalous RTPS traffic targeting DDS endpoints; the exploit can be crafted using the Scapy RTPS layer, so look for malformed RTPS submessages with mismatched length fields. ↗
- ·CVE-2021-38445 affects OCI OpenDDS versions prior to 3.18.1 only; patched versions are not vulnerable. ↗
- ·The vulnerability is exploitable remotely over the network against any DDS endpoint running a vulnerable OpenDDS version, including those embedded in ROS 2 stacks; exposed DDS endpoints without network segmentation are at highest risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Multiple Data Distribution Service (DDS) Implementations (Update A)
cisa_ics·2021-11-11
Multiple Data Distribution Service (DDS) Implementations (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Multiple Data Distribution Service (DDS) Implementations (Update A)
Last RevisedFebruary 01, 2022
Alert CodeICSA-21-315-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.6
- ATTENTION: Exploitable remotely/low attack complexity
- Vendors: Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing
- Equipment: CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, CoreDX DDS
- Vulnerabilities: Write-what-where Condition, Improper Handling of Syntactically Invalid Structure, Network Amp
GHSA
GHSA-3xm3-79jv-66p7: OCI OpenDDS versions prior to 3
ghsa_unreviewed·2022-05-06
CVE-2021-38445 [CRITICAL] CWE-130 GHSA-3xm3-79jv-66p7: OCI OpenDDS versions prior to 3
OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code.
No detection rules found.
No public exploits indexed.
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Privacy & Risks
# Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro
Jul 11, 2022
Read time: ( words)
Save to Folio
In part two, we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protected.
Attack s
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Privacy & Risks
## Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro Jul 11, 2022 Read time: ( words)
Save to Folio
In part two , we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protected.
The tel
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Risiken für die Privatsphäre
## Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro Jul 11, 2022 Lesezeit: ( Wörter)
Save to Folio
In part two , we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protec
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Privacy & Risks
# Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro
2022/07/11
Read time: ( words)
Save to Folio
In part two, we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protected.
Attack sce
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Privacidad y riesgos
## Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro Jul 11, 2022 Read time: ( words)
Save to Folio
In part two , we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protected.
Th
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Privacy & Risks
## Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro 2022/07/11 Read time: ( words)
Save to Folio
In part two , we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protected.
The teleo
Trendmicro
Data Distribution Service: Mitigating Risks Part 3
blogs_trendmicro·2022-07-11·CVSS 7.0
[HIGH] Data Distribution Service: Mitigating Risks Part 3
Rischi di Privacy
## Data Distribution Service: Mitigating Risks Part 3
In the final chapter of our blog series, we discuss mitigating strategies and recommendations to keep DDS protected from malicious actors.
By: Trend Micro Jul 11, 2022 Read time: ( words)
Save to Folio
In part two , we thoroughly discussed both known and newly discovered vulnerabilities affecting DDS. Thirteen vulnerabilities discovered by our team were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For the final, let’s explore an attack scenario to showcase what would happen if DDS is compromised, several mitigation strategies and recommendations that enterprises can utilize to ensure their systems are well-protected.
The t
Trendmicro
Data Distribution Service: Nicht immer sicher
blogs_trendmicro·2022-05-11
Data Distribution Service: Nicht immer sicher
Ausnutzung von Schwachstellen
## Data Distribution Service: Nicht immer sicher
Das Data Distribution Service (DDS)-Protokoll wird seit mehr als einem Jahrzehnt verwendet, ist aber selbst vielen Branchenexperten nicht bekannt. Wir haben diese wichtige Middleware auf Lücken untersucht – und sind leider fündig geworden.
By: Trend Micro May 11, 2022 Read time: ( words)
Save to Folio
Originalbeitrag von Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), Victor Mayoral Vilches (Alias Robotics)
Das Data Distribution Service (DDS)-Protokoll wird seit mehr als einem Jahrzehnt verwendet, ist aber selbst vielen Branchenexperten nicht bekannt. Die Middleware-Technologie ist für den Betrieb von Milli
Trendmicro
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
blogs_trendmicro·2022-04-19
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Exploits & Vulnerabilities
## Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service (DDS) standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022.
By: Trend Micro Apr 19, 2022 Read time: ( words)
Save to Folio
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware
Trendmicro
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
blogs_trendmicro·2022-04-19
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Exploits & Vulnerabilities
## Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service (DDS) standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022.
By: Trend Micro 2022/04/19 Read time: ( words)
Save to Folio
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware s
Trendmicro
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
blogs_trendmicro·2022-04-19
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Exploits & Vulnerabilities
# Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service (DDS) standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022.
By: Trend Micro
Apr 19, 2022
Read time: ( words)
Save to Folio
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware
Trendmicro
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
blogs_trendmicro·2022-04-19
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Exploits y vulnerabilidades
## Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service (DDS) standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022.
By: Trend Micro Apr 19, 2022 Read time: ( words)
Save to Folio
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middlewar
Trendmicro
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
blogs_trendmicro·2022-04-19
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Sfruttamento vulnerabilità
## Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service (DDS) standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022.
By: Trend Micro Apr 19, 2022 Read time: ( words)
Save to Folio
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware
Trendmicro
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
blogs_trendmicro·2022-04-19
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Exploits & Vulnerabilities
# Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service (DDS) standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022.
By: Trend Micro
2022/04/19
Read time: ( words)
Save to Folio
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware s
2022-05-05
Published