RVD icon indicating copy to clipboard operation
RVD copied to clipboard

Published 20 hours ago verified publisher icon aliasrobotics

RVD#450: DDS authentication plugin weakness in prime256v1 curves might lead to data to side channel attacks

Open vmayoral opened this issue 5 years ago • 3 comments 

id: 450
title: 'RVD#450: DDS authentication plugin weakness in prime256v1 curves might lead
  to data to side channel attacks'
type: weakness
description: For the authentication plug-in, a participant is issued acertificate
  based on one of the following types of algorithm/key definitions, RSA 2048 or ECDSA
  256 bits. The authors of SafeCurve states that using prime256v1 curves is notsafe
  due to elliptic-curve discrete logarithm problem beingdifficult and the gap of implementing
  elliptic-curve crypto-graphy (ECC) security, exposing data to side channelattacks.
  Other curves are offered to circumvent these shortcomings.
cwe: None
cve: None
keywords:
- components software
- malformed
- 'robot component: DDS'
- 'robot component: FastRTPS'
- 'robot component: ROS2'
- 'vendor: ADLINK'
- 'vendor: RTI'
- 'vendor: eProsima'
- weakness
system: null
vendor: null
severity:
  rvss-score: None
  rvss-vector: N/A
  severity-description: ''
  cvss-score: 0
  cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/450
flaw:
  phase: unknown
  specificity: N/A
  architectural-location: N/A
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: 2018-06-01 (00:00)
  detected-by: Vincenzo DiLuoffo, William R Michalson and Berk Sunar
  detected-by-method: N/A
  date-reported: 2019-10-07 (00:00)
  reported-by: Alias Robotics
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/450
  reproducibility: ''
  trace: null
  reproduction: ''
  reproduction-image: ''
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: null

vmayoral avatar Oct 07 '19 07:10 vmayoral

Feedback (automatically generated):

  • FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see Vulnerability report template for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

github-actions[bot] avatar Oct 27 '19 17:10 github-actions[bot]

Feedback (automatically generated):

  • FIXME: Robot or Robot component not present in summary table or invalid, see Vulnerability report template for more information or review other tickets and get inspiration
  • FIXME: CWD ID not present in summary table or invalid, see Vulnerability report template for more information or review other tickets and get inspiration
  • FIXME: Attack vector not present in summary table or invalid, see Vulnerability report template for more information or review other tickets and get inspiration
  • FIXME: ### Description not present or invalid, see Vulnerability report template for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

github-actions[bot] avatar Oct 29 '19 13:10 github-actions[bot]

Elevating to vulnerability but needs further triage.

vmayoral avatar Dec 08 '19 09:12 vmayoral