CVE-2023-51456

Name of the Vulnerable Software and Affected Versions DJI Mavic 3 Pro versions prior to v01.01.0300 DJI Mavic 3 versions prior to v01.00.1200 DJI Mavic 3 Classic versions prior to v01.00.0500 DJI Mavic 3 Enterprise versions prior to v07.01.10.03 DJI Matrice 300 versions prior to v57.00.01.00 DJI Matrice M30 versions prior to v07.01.0022 DJI Mini 3 Pro versions prior to v01.00.0620

Description An Improper Input Validation issue affects the v2 sdk service running on a set of DJI drone devices on the port 10000. This could allow an attacker to trigger an out-of-bound read/write into the process memory through a crafted payload due to a missing input sanity check in the v2 pack array to msg function implemented in the libv2 sdk.so library. This potentially leads to a memory information leak or an arbitrary code execution.

Recommendations For DJI Mavic 3 Pro versions prior to v01.01.0300, update to version v01.01.0300 or later to resolve the issue. For DJI Mavic 3 versions prior to v01.00.1200, update to version v01.00.1200 or later to resolve the issue. For DJI Mavic 3 Classic versions prior to v01.00.0500, update to version v01.00.0500 or later to resolve the issue. For DJI Mavic 3 Enterprise versions prior to v07.01.10.03, update to version v07.01.10.03 or later to resolve the issue. For DJI Matrice 300 versions prior to v57.00.01.00, update to version v57.00.01.00 or later to resolve the issue. For DJI Matrice M30 versions prior to v07.01.0022, update to version v07.01.0022 or later to resolve the issue. For DJI Mini 3 Pro versions prior to v01.00.0620, update to version v01.00.0620 or later to resolve the issue. As a temporary workaround, consider disabling the v2 pack array to msg function until a patch is available. Restrict access to the vulnerable libv2 sdk.so library to minimize the risk of exploitation. Avoid using the vulnerable v2 sdk service on port 10000 until the issue is resolved.