CRITICAL🇵🇱 Wersja polska

CVE-2024-41646

CVSS 9.8v3.1pub. 2024-12-06upd. 2024-12-13

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_dwb_controller.

🤖 AI Analysis
How it works

The flaw results from improper permission configuration (CWE-281) in the nav2_dwb_controller component, which is part of the ROS2 navigation2 stack. An attacker can deliver a specially crafted script that will be executed in the context of the motion controller process. The attack is possible remotely, without authentication and without any user interaction.

Impact

An attacker can gain full control of the system, obtaining the ability to read and modify data and disrupt service availability (complete C/I/A: High). In the case of robotic systems, this can also lead to unauthorized control of robot behavior.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references – monitor progress in the project repository (PR #4463 in the ros-navigation/navigation2 repository). Until the fix is implemented, network isolation of ROS2 nodes and restriction of access to system communication interfaces are recommended.

Who is affected

Open Robotics Robot Operating System 2 (ROS2) navigation2, humble version (nav2_dwb_controller)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openrobotics Robot Operating System

    APP
    Openrobotics
    2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-38924CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 humble — zdalny exploit przez nav2_amcl

CVE-2024-38922CRITICAL9.8PL ✓ten sam produkt

Heap overflow w procesie nav2_amcl systemu ROS2 Nav2

CVE-2024-38921CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 — zdalny atak przez parametr /amcl z_rand

CVE-2024-38923CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 humble poprzez proces nav2_amcl

CVE-2024-38925CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 — zdalny atak przez zmianę parametru AMCL