Received-SPF: pass (google.com: domain of oss-security-return-30076-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
Reply-To: oss-security@lists.openwall.com
Content-Type: multipart/alternative;
 boundary="------------VU8itKOjBgXUGAxqCLLCv6GS"
Message-ID: <e37a1001-caaf-4120-a24b-dabf7ba957c0@canonical.com>
Date: Mon, 22 Apr 2024 23:26:28 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Yash Patel <yashpatelphd@gmail.com>
Cc: oss-security@lists.openwall.com,
 "Dr. Parag H. Rughani" <parag.rughani@nfsu.ac.in>
References: <9faeb4d3-8b70-4be8-947c-f8e27be2df9d@canonical.com>
 <CA+pod8GSEwf95oj1xVrQK4Qji9y+dXsbnvfihhHdhtdDKdPZ0A@mail.gmail.com>
Content-Language: en-US
From: Mark Esler <mark.esler@canonical.com>
Autocrypt: addr=mark.esler@canonical.com; keydata=
 xsFNBGJo5iQBEADBDrePgICrxsoCWxlAiEKAgZgqeX1XhHxhDCkprNwOA9ZEU7G977BEHgYL
 SrAh3LraWYK+piBXBuHdg8KCUppUmEC4GtiHg+KxtxRjgZn/tjLD6vgZkwZYs0KXQVCK2bhS
 L0paEA78Xcx1B6xa8JArnjk87VoNl6RCjJESXkwlqGtQTEOpbNxBy5Pd0T33xYeKcOz0GWY5
 ndkU1gD7NtMZdWZ8vcQclLquQO5OE33OhK78cU4Zk4xFL5I5R4rBhlrOsw002bbD0+QI6wUK
 QByHfvcAz59eHS/wJOrAY/1p+IKql/4fsRQQSRPSc+3CqELdxzF2s+AG0PciQms3RVYT6czH
 28Ce9C9BDAENga28FvQDf5ZiSTUeXZm0XJ9g+dLg+6FBPHp9wX+ybfAmIRXQlV4D6DledQAW
 joBy3j09JOGQGSH0S3EbQ68Qn2xyGBlYeFCZbMlKDN8NrpVCx9Jf6dDb3Qv2Do1yIIRu5x0v
 wKlNsQG0NffMryLCQ0tVBNNiwqrHIbmZEhSUEmKf6u+zZsx1JMewe6fRw3hf3VOzENH5tGpZ
 Z1Yg8m3E2yiXmPJ9cX3iZD0l7/L8CEiuMWt/q/NEDnKsGovi9N1r04Yxxo5lWoHr+4taaOnC
 2C7YEHICIWx3lEU0lm24PbNG4QBJCJ8ctwG2rV3AMILCVSzW0QARAQABzSVNYXJrIEVzbGVy
 IDxtYXJrLmVzbGVyQGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+FiEELTsQ/oZuJMqL99Qt1guD
 yQUTvU8FAmJo5iQCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ1guDyQUT
 vU/Gqw/9F5ko+KS9CRXXcp4SkdhHB6aGtD9rEJycEywPymmI+OwCJppmbQBzzwW7QGLHi8TT
 iWnWMSeikhSh0p9pPCc9rhLttYDlGZwoxXPt7PwS0k9JjITNviTNZD6uHIoYmFMxS65qdh7s
 7OSQj4+nTij1b+dVqzaG4krGB/pav2D2adt4k02KfqIkPiLY0Jo+o8hKOx2HRh8xqEU/eySR
 tVvIx55cD4Qh63KQv465Afz+QuKsbxuqA2iboUP/srYtMQtFi8TCF7/5gLwDbGDgOAYhIxyf
 vgAH5dbBFB8lIMPjIeTbP0lE+xMHUmQsKhtYICnjhnGRJeT6vBlDFuUar5DYA3fIm9LEAf1T
 1eMK4FBUSCv+cULlT9+rsHDbG6tiZU/BDp/mkKFs2Ax9W68+fgXy7borixrgDhfSCsYWaxLs
 XW/GEmyCbp30PZlLr6kvfQq7CMEjeE79FEsef7/ppRH/t+mv6p2xhb+DDbvqzcQZ7LQn3+PL
 xkR37spQRvevPxpx000CqTO5gV19w/2ZSPydm2Zd44XSranzwDdD4o5ZsMXAPuCNlVAVzxAh
 xNj2QQL7xh9bdDDmM9Z7qBPwFX42n7mwryjBHqMtrSCSI8hupSh2B/bQSRyWd3/KQ2vlJMoq
 7H5EJiJYpb3blvb4tfoSfEagPqYV1jJEcKImOGs988rOwU0EYmjmJAEQAL0wGwC8P1qj0fuL
 aFpPKBAFtxBqnJJcc+63DjQ17/QJrYpKwGGkW6fz/Nn0nUDf88FdrHd7t6a9c3m82/gvsr8V
 jAD4SISpDjPIpfCj5gWGAuhATWB0pwjWRsgFkIThaa0px6ZJFGdU9lJmi633Xsk4s9bws8kZ
 pnwtk+StRueqcSElfLw1/gbu6EhcEH62iBb2qlRhgtntgy1dcnqDEQhcdccWSgna+ZlDIo3Z
 75RWoIXxrtzUe9PDdG4Ou+k/H96mS7pZdmU6elbQlcDGYegYGH6OTYjvZyl81ACN9Y3Fcmc+
 luBMeuyQndHFnG6rjOwHr6iM9ZKRBq03QiAAp4vooPyLqG9nZmoeLH0Q7L2pVIwroVtsJvnj
 ws5z3DujguZcLYCeA/WEXj8p0lYy9WVGrfJ7LyLp+Uj7AdXFB6msED51Swb6QkpWrcC7V2CO
 KZmfYGXFy7PdIwWeqgYjJ0zqEldHGDTDV0yTuuER2bJ/T1WBVy9U46/KRUXYevgCZFGPbyO/
 vKLwKVbrbkimULMFcPJpKinFPQs0ch7HA6PPog0wbux5Bm9O78lzYo/WFlvofFKTzfGEsnif
 CVXkcsu0Qp8m6DQZyeFO8SH3DHaHFaPKc3JYEFTdmP0PdvH8aqb5TVTb8G+hvxktDkCuCrla
 oFVSCNhIWfJ6rAxxYGuNABEBAAHCwXwEGAEKACYWIQQtOxD+hm4kyov31C3WC4PJBRO9TwUC
 YmjmJAIbDAUJA8JnAAAKCRDWC4PJBRO9T3SnEACEprj9LsxvhbM6A/aLk3la8UD9MYtLSmbl
 +KPGEvP0r7viPftolgV8O+tRG09Z7Wd/63WsHjA2Psgwdm49BziL8tCfONfVXCojPxR/uyL5
 ykPHSE/yC+mz3DTPWcncGCdteil6Cw43MHNCm2oYJ38VXAwV9pikHeO5Pj5xukmc/bQr3v3N
 rDQI+AQpNbWs2r4vw+y01IidmMh12RkuGi2UYOgajvfDeoSSEF7VJ6Qlij9UjatkbZpSHjn2
 rf+B9DdlkRNr5Vfd9/xaSFQoazdgNS/QHqOeZ+9HqNrUlHTH9BUaTkmV6MDXtEjVGfROXxXP
 w/q29QUzZUZE3agqmuxB3yarPjW24mNu5Kd22rb06blTfBO0o7DOX9UwOVLfFLejfWAYANuX
 ilcju9/3dHRsv6o99tGfRxJIMOPVY6JgswYISB7CwdA+Uda6UvU+qwYCRi7B8L13H3uhDKzA
 5sgRZnz2oQw+bOB/ErZv78NVnhrdy9LAkLk0U8RVvH8sWPco4ZjQVou6wDMEsKaIlioU8x6n
 YOi8LBpijWpaKEpCbU4nRdV/4d3eWr7tu1MWGcm70C6mrjypxI6TVCPg+gimjM4D7LOpJKZJ
 VGQg9JYPUhccp27Nn/3L2/Y9F3tKUfCTPHanOzHg4KNRRUr8CQD8qi+8nWqztY9OeZjz0vag YA==
In-Reply-To: <CA+pod8GSEwf95oj1xVrQK4Qji9y+dXsbnvfihhHdhtdDKdPZ0A@mail.gmail.com>
Subject: [oss-security] Re: 83 bogus CVEs assigned to Robot Operating System (ROS)

--------------VU8itKOjBgXUGAxqCLLCv6GS
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Reporting security issues to ROS 2 with proof of concepts and by 
following their disclosure policy would be appreciated and valued. 
https://ros.org/reps/rep-2006.html

I recommend asking upstream for advice and sharing your manuscript with 
them.

Mark Esler

On 4/22/24 20:52, Yash Patel wrote:
> Thank you for your detailed overview regarding the CVEs attributed to 
> our research on ROS/ROS 2. We appreciate the scrutiny and understand 
> the concerns raised by you and other parties.
>
> I want to clarify that our findings are based on extensive tests 
> conducted in real-world scenarios within controlled laboratory 
> settings, where actual robots were subjected to attacks. This method 
> is crucial as it transcends theoretical analysis and involves direct 
> interaction with the equipment that is still operational in many 
> industrial sectors, although on unsupported ROS/ROS2 versions.
>
> We acknowledge that the CVE descriptions were initially drafted at a 
> high level and may not have included comprehensive technical details. 
> This was due to pending publication of our full research papers, which 
> delve deeper into the specifics of each vulnerability. We are 
> preparing a separate document to address this gap, providing the 
> evidence and methodologies employed during our research.
>
> Furthermore, it is worth noting that while some ROS versions are no 
> longer supported by the official development team, they are still 
> actively used in various industries. Our work aims to highlight 
> security risks that could affect these legacy systems, thereby aiding 
> in proactive cybersecurity measures.
>
> We are open to dialogue and further investigation by third-party 
> experts. If the consent remains suspicious of the vulnerability 
> claims, we are prepared to request revocation of the CVEs to maintain 
> the integrity of the reporting process. Our primary goal is to 
> contribute positively to the security of the robotic ecosystem, and we 
> are committed to transparency and collaboration to achieve this.
>
> Looking forward to your constructive feedback and hoping for an 
> opportunity to discuss our findings in detail.
>
> *Yash Patel*
> Ph.D. Research Scholar
> National Forensic Sciences University
> Ministry of Home Affairs, Government of India
> [An Institution of National Importance]
> Gandhinagar, Gujarat, India
>
>
> On Tue, Apr 23, 2024 at 5:22 AM Mark Esler <mark.esler@canonical.com> 
> wrote:
>
>     Yash Patel and Dr. Parag Rughani are credited as the discoverers for
>     eighty-three recent CVEs affecting ROS 2 which the MITRE TL-Root CNA
>     assigned.
>
>     All CVE descriptions are written at a very high, vague, level. No
>     specifics or evidence has been provided to backup vulnerability
>     claims.
>
>     Three CVEs (CVE-2023-33565, CVE-2023-33566, and CVE-2023-33567)
>     reference the discoverer's 2022 ACM paper "Analyzing Security
>     Vulnerability and Forensic Investigation of ROS2: A Case Study"
>     [0]. The
>     more technical portion of this paper was confirmed [1] to be based
>     on a
>     ROS 2 beginner tutorial [2]. The paper does not attribute ROS 2
>     documentation.
>
>     Some CVEs claim that a security update will be forthcoming from
>     the ROS
>     2 development team [3]. Privately [4], ROS 2 core developers
>     stated that
>     they were not contacted and "came to the conclusion that [these CVEs]
>     were likely not real security vulnerabilities.".
>
>     Certain CVEs describe unlikely situations. For instance,
>     CVE-2024-30737
>     claims: "A critical vulnerability has been identified in ROS Kinetic
>     Kame, particularly in configurations with ROS_VERSION=1 and
>     ROS_PYTHON_VERSION=3." [5]. ROS Kinetic Kame supports Python 2, not
>     Python 3.
>
>     Frankly, all descriptions appear to be copy-pasted or generated to
>     _sound_ like security issues. No evidence has been provided in the
>     ACM
>     paper or the 83 CVEs to suggest that vulnerabilities actually exist.
>
>     CVE revocation requests have been sent to MITRE and CVE descriptions
>     have been appended with: "NOTE: this is disputed by multiple third
>     parties who believe there was not reasonable evidence to determine
>     the
>     existence of a vulnerability."
>
>     The CVE IDs are: CVE-2023-33565, CVE-2023-33566, CVE-2023-33567,
>     CVE-2023-51197, CVE-2023-51198, CVE-2023-51199, CVE-2023-51200,
>     CVE-2023-51201, CVE-2023-51202, CVE-2023-51204, CVE-2023-51208,
>     CVE-2024-29439, CVE-2024-29440, CVE-2024-29441, CVE-2024-29442,
>     CVE-2024-29443, CVE-2024-29444, CVE-2024-29445, CVE-2024-29447,
>     CVE-2024-29448, CVE-2024-29449, CVE-2024-29450, CVE-2024-29452,
>     CVE-2024-29454, CVE-2024-29455, CVE-2024-30657, CVE-2024-30658,
>     CVE-2024-30659, CVE-2024-30661, CVE-2024-30662, CVE-2024-30663,
>     CVE-2024-30665, CVE-2024-30666, CVE-2024-30667, CVE-2024-30672,
>     CVE-2024-30674, CVE-2024-30675, CVE-2024-30676, CVE-2024-30678,
>     CVE-2024-30679, CVE-2024-30680, CVE-2024-30681, CVE-2024-30683,
>     CVE-2024-30684, CVE-2024-30686, CVE-2024-30687, CVE-2024-30688,
>     CVE-2024-30690, CVE-2024-30691, CVE-2024-30692, CVE-2024-30694,
>     CVE-2024-30695, CVE-2024-30696, CVE-2024-30697, CVE-2024-30699,
>     CVE-2024-30701, CVE-2024-30702, CVE-2024-30703, CVE-2024-30704,
>     CVE-2024-30706, CVE-2024-30707, CVE-2024-30708, CVE-2024-30710,
>     CVE-2024-30711, CVE-2024-30712, CVE-2024-30713, CVE-2024-30715,
>     CVE-2024-30716, CVE-2024-30718, CVE-2024-30719, CVE-2024-30721,
>     CVE-2024-30722, CVE-2024-30723, CVE-2024-30724, CVE-2024-30726,
>     CVE-2024-30727, CVE-2024-30728, CVE-2024-30729, CVE-2024-30730,
>     CVE-2024-30733, CVE-2024-30735, CVE-2024-30736, and CVE-2024-30737
>
>     Many thanks to Florencia Cabral Berenfus for her analysis of these
>     claims!
>
>     Mark Esler
>
>     [0] https://dl.acm.org/doi/abs/10.1145/3573910.3573912
>     [1] https://github.com/yashpatelphd/CVE-2024-30737/issues/1
>     [2]
>     https://docs.ros.org/en/foxy/Tutorials/Beginner-Client-Libraries/Writing-A-Simple-Py-Service-And-Client.html
>     [3] https://github.com/yashpatelphd/CVE-2023-33565
>     [4] message ID
>     <CAE6X0kjYCMS4qRYP9Bohx88ue9ReedbPr=FFh+hNs+2RkOGeLg@mail.gmail.com
>     <mailto:FFh%2BhNs%2B2RkOGeLg@mail.gmail.com>>
>     [5] https://github.com/yashpatelphd/CVE-2024-30737
>
--------------VU8itKOjBgXUGAxqCLLCv6GS--