CVE-2024-30963

Vulnerability

Overview

CVE-2024-30963 is a heap-buffer-overflow vulnerability in the Adaptive Monte Carlo Localization (AMCL) module of ROS2 navigation2, specifically in the pf_update_resample function of the particle filter library. The root cause is insufficient validation of the z_rand parameter, which can be set to an extremely large floating-point value via the YAML configuration file. When the AMCL node processes laser scan data, this oversized value triggers a heap-buffer-overflow, as demonstrated by an AddressSanitizer report [1].

Exploitation

An attacker with local access to the system can exploit this vulnerability by crafting a malicious nav2_params.yaml file that sets amcl.ros__parameters.z_rand to a very large number (e.g., 5.486124068793688e+79). When the navigation2 stack is launched with this configuration, the overflow occurs during laser scan processing, potentially allowing the attacker to overwrite adjacent heap memory [1]. No authentication is required beyond the ability to modify the configuration file and launch the ROS2 nodes.

Impact

Successful exploitation could lead to arbitrary code execution in the context of the nav2_amcl process. This could enable an attacker to compromise the robot's navigation system, inject malicious code, or escalate privileges on the host system. The CVSS v3 score of 7.8 (High) reflects the potential for full compromise of confidentiality, integrity, and availability [1].

Mitigation

As of the publication date, no official patch has been released for this vulnerability. Users are advised to validate all configuration parameters, especially z_rand, and avoid setting them to extreme values. Restricting local access to the configuration files and monitoring for unusual parameter values can reduce the attack surface. The issue remains open in the navigation2 repository [1].