What is the severity of CVE-2023-24010?

CVE-2023-24010 has been classified as a critical vulnerability due to its potential to allow full control of a secure DDS databus system.

How do I fix CVE-2023-24010?

To mitigate CVE-2023-24010, ensure that the configuration settings for PKCS#7 certificate validation are securely implemented and up to date.

Who is affected by CVE-2023-24010?

CVE-2023-24010 affects users of eProsima Fast DDS that utilize DDS participants or ROS 2 nodes with vulnerable configuration settings.

What kind of attacks can CVE-2023-24010 enable?

CVE-2023-24010 can enable attackers to craft malicious DDS participants or nodes to compromise the integrity and security of the databus system.

What are the mitigations for CVE-2023-24010?

Mitigations for CVE-2023-24010 include ensuring proper validation of certificates and regular security audits of the DDS configuration.

Vulnerability/
CVE-2023-24010

high

8.2

CWE

200

9/1/2025

CVE-2023-24010: Data Distribution Service (DDS) Chain of Trust (CoT) violation in Fast DDS

First published: Thu Jan 09 2025(Updated: )

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

Credit: cve-coordination@incibe.es

Affected Software	Affected Version	How to fix
Eclipse

Remedy

Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer's certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer's certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer's certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer's certificates.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-24010?
CVE-2023-24010 has been classified as a critical vulnerability due to its potential to allow full control of a secure DDS databus system.
How do I fix CVE-2023-24010?
To mitigate CVE-2023-24010, ensure that the configuration settings for PKCS#7 certificate validation are securely implemented and up to date.
Who is affected by CVE-2023-24010?
CVE-2023-24010 affects users of eProsima Fast DDS that utilize DDS participants or ROS 2 nodes with vulnerable configuration settings.
What kind of attacks can CVE-2023-24010 enable?
CVE-2023-24010 can enable attackers to craft malicious DDS participants or nodes to compromise the integrity and security of the databus system.
What are the mitigations for CVE-2023-24010?
Mitigations for CVE-2023-24010 include ensuring proper validation of certificates and regular security audits of the DDS configuration.

agent/remedy
agent/title
agent/references
agent/weakness
agent/first-publish-date
agent/description
agent/type
collector/nvd-api
source/NVD
agent/author
agent/severity
agent/event
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/eprosima
canonical/eclipse