CVE-2024-30259: Eprosima Fast DDS DoS Vulnerability

CVE-2024-30259 Overview

CVE-2024-30259 is a heap buffer overflow vulnerability in eProsima Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard from the Object Management Group (OMG). The flaw resides in the subscriber's processing of Real-Time Publish-Subscribe (RTPS) packets. A malicious publisher can send a malformed RTPS packet that triggers an out-of-bounds write on the subscriber's heap, crashing any Fast DDS process and producing a denial-of-service (DoS) condition.

Critical Impact

Remote, unauthenticated attackers on the network can crash Fast DDS subscribers by emitting a single malformed RTPS packet, disrupting middleware-dependent systems such as ROS 2 robotics and autonomous platforms.

Affected Products

• eProsima Fast DDS versions prior to 2.6.8
• eProsima Fast DDS versions prior to 2.10.4 and 2.13.5
• eProsima Fast DDS versions prior to 2.14.1 (including 2.14.0)

Discovery Timeline

• 2024-05-14 - CVE-2024-30259 published to the National Vulnerability Database (NVD)
• 2025-01-27 - Last updated in NVD database

Technical Details for CVE-2024-30259

Vulnerability Analysis

Fast DDS implements the RTPS wire protocol that DDS participants use to exchange discovery and user data. The vulnerability is a heap buffer overflow [CWE-120, CWE-787] triggered when a subscriber parses a malformed RTPS submessage from a publisher. The parsing logic fails to correctly validate length or offset fields encoded in the RTPS header before writing into a heap-allocated buffer.

When the malformed packet is processed, the deserializer writes past the bounds of the destination buffer, corrupting adjacent heap memory. The corruption causes the Fast DDS process to terminate, producing a denial-of-service condition. The impact is limited to availability; confidentiality and integrity remain intact according to the published CVSS vector.

Because DDS is widely used as the middleware layer in ROS 2 and other distributed real-time systems, an outage of any subscriber process can cascade across robotics fleets, industrial control loops, and autonomous vehicle stacks.

Root Cause

The root cause is insufficient input validation during RTPS submessage deserialization. Length and offset fields received from an untrusted peer are used to index into a heap buffer without enforcing bounds checks consistent with the actual allocation size, satisfying the conditions for both [CWE-120] (classic buffer overflow) and [CWE-787] (out-of-bounds write).

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker establishes itself as an RTPS publisher reachable by a victim subscriber, then sends a crafted RTPS packet containing malformed length fields. By default, DDS participants on the same multicast domain auto-discover one another, allowing the attacker to reach subscribers without prior pairing in many deployments. Refer to the eProsima security advisory GHSA-qcj9-939p-p662 for protocol-level detail.

No verified public proof-of-concept code is referenced in the advisory.

Detection Methods for CVE-2024-30259

Indicators of Compromise

• Unexpected crashes, segmentation faults, or abnormal terminations of Fast DDS processes such as fastdds, fastddsgen, or ROS 2 nodes linked against vulnerable Fast DDS libraries.
• Core dumps showing heap corruption signatures in RTPS deserialization call paths.
• Inbound RTPS traffic on UDP ports 7400–7500 (default DDS discovery and user-data range) originating from unexpected hosts.

Detection Strategies

• Inventory Fast DDS versions across endpoints and containers, flagging any build older than 2.6.8, 2.10.4, 2.13.5, or 2.14.1.
• Deploy network monitoring rules that parse RTPS submessage headers and alert on length fields that exceed the encapsulating UDP payload.
• Correlate process crash telemetry with concurrent RTPS network activity to surface exploitation attempts.

Monitoring Recommendations

• Continuously collect process termination events from hosts running DDS workloads and ship them to a centralized data lake for analysis.
• Capture RTPS packet metadata at the perimeter of robotics and OT segments to baseline normal publisher behavior.
• Alert on new or unauthorized DDS participants joining a domain, particularly from outside expected IP ranges.

How to Mitigate CVE-2024-30259

Immediate Actions Required

• Upgrade Fast DDS to a fixed release: 2.14.1, 2.13.5, 2.10.4, or 2.6.8, matching the branch already deployed.
• Rebuild and redistribute downstream applications, including ROS 2 distributions, that statically link or bundle Fast DDS.
• Restrict RTPS traffic to trusted network segments using firewalls or VLAN segmentation until patches are applied.

Patch Information

Patched releases are available from eProsima. See the GitHub Security Advisory GHSA-qcj9-939p-p662 for fixed version metadata and commit references. Upgrade to the lowest patched version in your active branch to minimize regression risk.

Workarounds

• Enable DDS Security (authentication and access control plugins) to limit which participants can publish to a subscriber's domain.
• Block inbound RTPS traffic from untrusted sources at the host or network firewall, allowlisting only expected publisher IPs.
• Isolate DDS domains using dedicated network interfaces or overlays to prevent unauthenticated peers from reaching subscribers.

# Example: restrict RTPS discovery and user traffic to a trusted subnet
sudo iptables -A INPUT -p udp --dport 7400:7500 -s 10.10.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 7400:7500 -j DROP