CRITICAL🇵🇱 Wersja polska

CVE-2024-41648

CVSS 9.8v3.1pub. 2024-12-06upd. 2024-12-13

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_regulated_pure_pursuit_controller.

🤖 AI Analysis
How it works

The vulnerability results from incorrectly configured permissions in the nav2_regulated_pure_pursuit_controller module that is part of the navigation2 package for ROS2. An attacker can provide a specially crafted script that will be executed in the context of the navigation controller process. Lack of appropriate access restrictions allows malicious code to be executed without authentication and without user interaction.

Impact

An attacker can achieve full remote code execution (RCE) on the target system, potentially resulting in takeover of the robot or the entire ROS2 infrastructure, data disclosure, and violation of system integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references — the fix is in progress in the ros-navigation/navigation2 repository (pull request #4463). It is recommended to monitor the official project repository and implement the available update as soon as possible. Until patching is completed, restrict network access to ROS2 interfaces.

Who is affected

Open Robotics Robot Operating System 2 (ROS2) — navigation2 package in humble version

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openrobotics Robot Operating System

    APP
    Openrobotics
    2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-38924CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 humble — zdalny exploit przez nav2_amcl

CVE-2024-38922CRITICAL9.8PL ✓ten sam produkt

Heap overflow w procesie nav2_amcl systemu ROS2 Nav2

CVE-2024-38921CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 — zdalny atak przez parametr /amcl z_rand

CVE-2024-38923CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 humble poprzez proces nav2_amcl

CVE-2024-38925CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 — zdalny atak przez zmianę parametru AMCL