Re: 83 bogus CVEs assigned to Robot Operating System (ROS)

[Mark Esler <mark.esler () canonical com>]

Reporting security issues to ROS 2 with proof of concepts and by 
following their disclosure policy would be appreciated and valued. 
https://ros.org/reps/rep-2006.html

I recommend asking upstream for advice and sharing your manuscript with 
them.

Mark Esler

On 4/22/24 20:52, Yash Patel wrote:
> Thank you for your detailed overview regarding the CVEs attributed to 
> our research on ROS/ROS 2. We appreciate the scrutiny and understand 
> the concerns raised by you and other parties.
>
> I want to clarify that our findings are based on extensive tests 
> conducted in real-world scenarios within controlled laboratory 
> settings, where actual robots were subjected to attacks. This method 
> is crucial as it transcends theoretical analysis and involves direct 
> interaction with the equipment that is still operational in many 
> industrial sectors, although on unsupported ROS/ROS2 versions.
>
> We acknowledge that the CVE descriptions were initially drafted at a 
> high level and may not have included comprehensive technical details. 
> This was due to pending publication of our full research papers, which 
> delve deeper into the specifics of each vulnerability. We are 
> preparing a separate document to address this gap, providing the 
> evidence and methodologies employed during our research.
>
> Furthermore, it is worth noting that while some ROS versions are no 
> longer supported by the official development team, they are still 
> actively used in various industries. Our work aims to highlight 
> security risks that could affect these legacy systems, thereby aiding 
> in proactive cybersecurity measures.
>
> We are open to dialogue and further investigation by third-party 
> experts. If the consent remains suspicious of the vulnerability 
> claims, we are prepared to request revocation of the CVEs to maintain 
> the integrity of the reporting process. Our primary goal is to 
> contribute positively to the security of the robotic ecosystem, and we 
> are committed to transparency and collaboration to achieve this.
>
> Looking forward to your constructive feedback and hoping for an 
> opportunity to discuss our findings in detail.
>
> *Yash Patel*
> Ph.D. Research Scholar
> National Forensic Sciences University
> Ministry of Home Affairs, Government of India
> [An Institution of National Importance]
> Gandhinagar, Gujarat, India
>
>
> On Tue, Apr 23, 2024 at 5:22 AM Mark Esler <mark.esler () canonical com> 
> wrote:
>
>     Yash Patel and Dr. Parag Rughani are credited as the discoverers for
>     eighty-three recent CVEs affecting ROS 2 which the MITRE TL-Root CNA
>     assigned.
>
>     All CVE descriptions are written at a very high, vague, level. No
>     specifics or evidence has been provided to backup vulnerability
>     claims.
>
>     Three CVEs (CVE-2023-33565, CVE-2023-33566, and CVE-2023-33567)
>     reference the discoverer's 2022 ACM paper "Analyzing Security
>     Vulnerability and Forensic Investigation of ROS2: A Case Study"
>     [0]. The
>     more technical portion of this paper was confirmed [1] to be based
>     on a
>     ROS 2 beginner tutorial [2]. The paper does not attribute ROS 2
>     documentation.
>
>     Some CVEs claim that a security update will be forthcoming from
>     the ROS
>     2 development team [3]. Privately [4], ROS 2 core developers
>     stated that
>     they were not contacted and "came to the conclusion that [these CVEs]
>     were likely not real security vulnerabilities.".
>
>     Certain CVEs describe unlikely situations. For instance,
>     CVE-2024-30737
>     claims: "A critical vulnerability has been identified in ROS Kinetic
>     Kame, particularly in configurations with ROS_VERSION=1 and
>     ROS_PYTHON_VERSION=3." [5]. ROS Kinetic Kame supports Python 2, not
>     Python 3.
>
>     Frankly, all descriptions appear to be copy-pasted or generated to
>     _sound_ like security issues. No evidence has been provided in the
>     ACM
>     paper or the 83 CVEs to suggest that vulnerabilities actually exist.
>
>     CVE revocation requests have been sent to MITRE and CVE descriptions
>     have been appended with: "NOTE: this is disputed by multiple third
>     parties who believe there was not reasonable evidence to determine
>     the
>     existence of a vulnerability."
>
>     The CVE IDs are: CVE-2023-33565, CVE-2023-33566, CVE-2023-33567,
>     CVE-2023-51197, CVE-2023-51198, CVE-2023-51199, CVE-2023-51200,
>     CVE-2023-51201, CVE-2023-51202, CVE-2023-51204, CVE-2023-51208,
>     CVE-2024-29439, CVE-2024-29440, CVE-2024-29441, CVE-2024-29442,
>     CVE-2024-29443, CVE-2024-29444, CVE-2024-29445, CVE-2024-29447,
>     CVE-2024-29448, CVE-2024-29449, CVE-2024-29450, CVE-2024-29452,
>     CVE-2024-29454, CVE-2024-29455, CVE-2024-30657, CVE-2024-30658,
>     CVE-2024-30659, CVE-2024-30661, CVE-2024-30662, CVE-2024-30663,
>     CVE-2024-30665, CVE-2024-30666, CVE-2024-30667, CVE-2024-30672,
>     CVE-2024-30674, CVE-2024-30675, CVE-2024-30676, CVE-2024-30678,
>     CVE-2024-30679, CVE-2024-30680, CVE-2024-30681, CVE-2024-30683,
>     CVE-2024-30684, CVE-2024-30686, CVE-2024-30687, CVE-2024-30688,
>     CVE-2024-30690, CVE-2024-30691, CVE-2024-30692, CVE-2024-30694,
>     CVE-2024-30695, CVE-2024-30696, CVE-2024-30697, CVE-2024-30699,
>     CVE-2024-30701, CVE-2024-30702, CVE-2024-30703, CVE-2024-30704,
>     CVE-2024-30706, CVE-2024-30707, CVE-2024-30708, CVE-2024-30710,
>     CVE-2024-30711, CVE-2024-30712, CVE-2024-30713, CVE-2024-30715,
>     CVE-2024-30716, CVE-2024-30718, CVE-2024-30719, CVE-2024-30721,
>     CVE-2024-30722, CVE-2024-30723, CVE-2024-30724, CVE-2024-30726,
>     CVE-2024-30727, CVE-2024-30728, CVE-2024-30729, CVE-2024-30730,
>     CVE-2024-30733, CVE-2024-30735, CVE-2024-30736, and CVE-2024-30737
>
>     Many thanks to Florencia Cabral Berenfus for her analysis of these
>     claims!
>
>     Mark Esler
>
>     [0] https://dl.acm.org/doi/abs/10.1145/3573910.3573912
>     [1] https://github.com/yashpatelphd/CVE-2024-30737/issues/1
>     [2]
>     https://docs.ros.org/en/foxy/Tutorials/Beginner-Client-Libraries/Writing-A-Simple-Py-Service-And-Client.html
>     [3] https://github.com/yashpatelphd/CVE-2023-33565
>     [4] message ID
>     <CAE6X0kjYCMS4qRYP9Bohx88ue9ReedbPr=FFh+hNs+2RkOGeLg () mail gmail com
>     <mailto:FFh%2BhNs%2B2RkOGeLg () mail gmail com>>
>     [5] https://github.com/yashpatelphd/CVE-2024-30737