Squizz617

**Name of the Vulnerable Software and Affected Versions** Fast DDS versions prior to 2.12.0 Fast DDS versions prior to 2.11.3 Fast DDS versions prior to 2.10.3 Fast DDS versions prior to 2.6.7 **Description** Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions, specific DATA submessages can be sent to a discovery locator, which may trigger a free error, potentially allowing a remote attacker to crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attacker's control, which could lead to a double free. **Recommendations** For versions prior to 2.12.0, upgrade to version 2.12.0 or later. For versions prior to 2.11.3, upgrade to version 2.11.3 or later. For versions prior to 2.10.3, upgrade to version 2.10.3 or later. For versions prior to 2.6.7, upgrade to version 2.6.7 or later.

**Name of the Vulnerable Software and Affected Versions** eprosima Fast DDS versions prior to 2.11.1 eprosima Fast DDS versions prior to 2.10.2 eprosima Fast DDS versions prior to 2.9.2 eprosima Fast DDS versions prior to 2.6.6 **Description** The issue is related to a heap overflow that can be triggered by providing a `PID PROPERTY LIST` parameter containing a CDR string with a length larger than the size of the actual content. This occurs in the `eprosima::fastdds::dds::ParameterPropertyList t::push back helper` function, where `memcpy` is called to copy the octet'ized length and then the data into `properties .data`. The `data` and `size` can be controlled by anyone sending the CDR string to the discovery multicast port, allowing for a remote crash of any Fast-DDS process. **Recommendations** For versions prior to 2.11.1, update to version 2.11.1 or later. For versions prior to 2.10.2, update to version 2.10.2 or later. For versions prior to 2.9.2, update to version 2.9.2 or later. For versions prior to 2.6.6, update to version 2.6.6 or later. As a temporary workaround, consider restricting access to the discovery multicast port to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eprosima Fast DDS versions prior to 2.11.0 eprosima Fast DDS versions prior to 2.10.2 eprosima Fast DDS versions prior to 2.9.2 eprosima Fast DDS versions prior to 2.6.5 **Description** The issue is related to an error in exception handling in the eprosima Fast DDS library, which is a C++ implementation of the Data Distribution Service standard of the Object Management Group. When a data submessage is sent to the PDP port, it raises an unhandled `BadParamException` in fastcdr, causing fastdds to crash. This could allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.11.0, update to version 2.11.0 or later. For versions prior to 2.10.2, update to version 2.10.2 or later. For versions prior to 2.9.2, update to version 2.9.2 or later. For versions prior to 2.6.5, update to version 2.6.5 or later. As a temporary workaround, consider restricting access to the PDP port to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eprosima Fast DDS versions prior to 2.10.0 and 2.6.5 **Description** The issue is related to insufficient handling of exceptional states in the eprosima Fast DDS library, which is a C++ implementation of the Data Distribution Service standard of the Object Management Group. This can allow a remote attacker to cause a denial of service by crashing any Fast DDS process. The `BadParamException` thrown by Fast CDR is not caught in Fast DDS, leading to this vulnerability. **Recommendations** To resolve the issue, update to version 2.10.0 or 2.6.5, as these versions contain a patch for this issue. As a temporary workaround, consider implementing exception handling for the `BadParamException` thrown by Fast CDR to prevent remote crashes of Fast DDS processes.

**Name of the Vulnerable Software and Affected Versions** eprosima Fast DDS versions prior to 2.9.1 and 2.6.5 **Description** The issue is related to improper validation of sequence numbers, which may lead to remotely reachable assertion failure, causing any Fast-DDS process to crash. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 to resolve the issue. For versions prior to 2.6.5, update to version 2.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eprosima Fast DDS versions prior to 2.11.1 eprosima Fast DDS versions prior to 2.10.2 eprosima Fast DDS versions prior to 2.9.2 eprosima Fast DDS versions prior to 2.6.6 **Description** The issue is caused by a heap overflow in the dynamic memory due to malformed `PID PROPERTY LIST` parameters. This can allow a remote attacker to cause a denial of service, crashing any Fast-DDS process. **Recommendations** For versions prior to 2.11.1, update to version 2.11.1 or later. For versions prior to 2.10.2, update to version 2.10.2 or later. For versions prior to 2.9.2, update to version 2.9.2 or later. For versions prior to 2.6.6, update to version 2.6.6 or later. As a temporary workaround, consider restricting the use of `PID PROPERTY LIST` parameters until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** eprosima Fast DDS versions prior to 2.10.0 eprosima Fast DDS versions prior to 2.9.2 eprosima Fast DDS versions prior to 2.6.5 **Description** The issue is related to the use of the `assert()` function or a similar operator in the eprosima Fast DDS library. A malformed GAP submessage can trigger an assertion failure, causing FastDDS to crash. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.10.0, update to version 2.10.0 or later. For versions prior to 2.9.2, update to version 2.9.2 or later. For versions prior to 2.6.5, update to version 2.6.5 or later.

**Name of the Vulnerable Software and Affected Versions** OpenDDS versions prior to 3.25 **Description** OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS). It crashes while parsing a malformed `PID PROPERTY LIST` in a DATA submessage during participant discovery. Attackers can remotely crash OpenDDS processes by sending a DATA submessage containing the malformed parameter to the known multicast port. **Recommendations** For versions prior to 3.25, upgrade to version 3.25 to resolve the issue. As a temporary workaround, consider restricting access to the multicast port to minimize the risk of exploitation.