Multiple Data Distribution Service (DDS) Implementations (Update A)

Plan Patch8.6ICS-CERT ICSA-21-315-02Nov 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Data Distribution Service (DDS) implementations affect industrial control system communication middleware. Affected DDS products include RTI Connext DDS Micro, Connext DDS Professional/Secure, OpenDDS, CycloneDDS, Fast DDS, CoreDX DDS, and GurumDDS. These vulnerabilities stem from buffer overflow, integer overflow, and insufficient validation issues (CWE-123, CWE-228, CWE-406, CWE-131, CWE-122, CWE-130, CWE-405, CWE-121) that can be exploited by sending malformed network packets. Successful exploitation could result in denial-of-service conditions that disrupt real-time process control, information exposure from memory, or remote code execution on the affected device.

What this means

What could happen

An attacker could exploit buffer overflow or denial-of-service conditions in DDS middleware to crash communication between industrial control devices or execute remote code on systems running vulnerable DDS implementations, disrupting process control and data integrity in real-time operations.

Who's at risk

Any industrial facility using Data Distribution Service (DDS) middleware for real-time process control communication, including water authorities, electric utilities, manufacturing plants, and refineries. Affected products include RTI Connext, OpenDDS, CycloneDDS, Fast DDS, CoreDX DDS, and GurumDDS. Organizations using distributed control architectures, remote I/O, or real-time sensor networks over DDS are at risk.

How it could be exploited

An attacker with network access to devices running vulnerable DDS implementations could send specially crafted packets to trigger buffer overflow or resource exhaustion conditions. If the DDS middleware is reachable from an untrusted network segment or the internet, the attacker does not need authentication to initiate the attack, and the low-complexity exploit could lead to process shutdown or command execution on the affected device.

Prerequisites

Network access to the DDS communication port (typically UDP/TCP port range)
Target system runs one of the affected DDS implementations
No authentication required for DDS protocol traffic
DDS service is actively listening and processing external messages

remotely exploitableno authentication requiredlow complexityhigh severity (CVSS 8.6)affects real-time communication middlewareno patch available for some products (GurumDDS, RTI Micro)potential for remote code execution

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (7)

5 with fix1 pending1 EOL

ProductAffected VersionsFix Status

RTI Connext DDS Micro:≥ 3.0.0No fix yet

Object Computing Inc. (OCI) OpenDDS: All<3.18.13.18.1

Connext DDS Professional and Connext DDS Secure:≥ 4.2x|<6.1.06.1.0

GurumDDS: All versionsAll versionsNo fix (EOL)

Fast DDS: All<2.4.02.4.0

CoreDX DDS: All<5.9.15.9.1

CycloneDDS: All<0.8.00.8.0

Remediation & Mitigation

0/9

Do now

0/2

HARDENINGPlace DDS-enabled devices behind firewalls and ensure they are not directly accessible from the internet

HARDENINGIsolate control system networks running DDS middleware from business networks

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CycloneDDS to version 0.8.0 or later

HOTFIXUpdate Fast DDS to version 2.4.0 or later

HOTFIXUpdate OpenDDS to version 3.18.1 or later

HOTFIXUpdate CoreDX DDS to version 5.9.1 or later (requires login to Twin Oaks website for download)

HOTFIXFor RTI Connext DDS Micro and Professional versions, contact RTI Support to obtain and apply available patches. Use RTI DDS Secure to mitigate network amplification issues

HOTFIXContact GurumNetworks for patch availability and guidance (CISA coordination unsuccessful)

Mitigations - no patch available

0/1

GurumDDS: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGUse VPN with encryption and current security patches for any required remote access to DDS systems

CVEs (13)

CVE-2021-38441 CVE-2021-38443 CVE-2021-38425 CVE-2021-38423 CVE-2021-38439 CVE-2021-38445 CVE-2021-38447 CVE-2021-38429 CVE-2021-38427 CVE-2021-38433 CVE-2021-38435 CVE-2021-38487 CVE-2021-43547

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2fef15c0-79d8-4e4e-8c3f-5c78ba4d7cc8