CVE-2025-24807 Overview
eProsima Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard from the Object Management Group (OMG), contains a certificate validation bypass vulnerability in its access control plugin. The vulnerability exists because the PermissionsCA certificate is not fully chain validated, and expiration dates are not properly verified. The access control plugin only validates the S/MIME signature, which allows an expired PermissionsCA to be incorrectly accepted as valid.
Critical Impact
This vulnerability allows governance and permissions configurations to be accepted from an expired PermissionsCA certificate. Additionally, the system may crash when the PermissionsCA is not self-signed and contains the full certificate chain, potentially leading to denial of service conditions.
Affected Products
- eProsima Fast DDS versions prior to 2.6.10
- eProsima Fast DDS versions prior to 2.10.7
- eProsima Fast DDS versions prior to 2.14.5
- eProsima Fast DDS versions prior to 3.0.2
- eProsima Fast DDS versions prior to 3.1.2
- eProsima Fast DDS versions prior to 3.2.0
Discovery Timeline
- February 11, 2025 - CVE-2025-24807 published to NVD
- February 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24807
Vulnerability Analysis
This vulnerability stems from an insufficient verification of data authenticity (CWE-345) in the Fast DDS security access control implementation. The DDS Security specification requires that PermissionsCA certificates undergo full certificate chain validation and expiration date verification before being trusted. However, the Fast DDS implementation bypasses these critical security checks, relying solely on S/MIME signature validation.
The vulnerability enables an attacker with local access to supply an expired or improperly chained PermissionsCA certificate that would normally be rejected. When the access control plugin processes such a certificate, it validates only the cryptographic signature while ignoring the certificate's validity period and chain of trust. This design flaw contradicts the security model defined in the OMG DDS Security Specification.
The attack requires local access and low privileges to exploit, with potential impacts on both integrity and availability of the affected system.
Root Cause
The root cause lies in the implementation of the Permissions.cpp and PKIDH.cpp files within the Fast DDS security module. Specifically, the code paths responsible for validating PermissionsCA certificates fail to:
- Perform full certificate chain validation when the PermissionsCA is not self-signed
- Check the expiration date of the PermissionsCA certificate before accepting it as valid
The implementation only verifies the S/MIME signature, which is insufficient for establishing the trustworthiness of a certificate authority. This partial validation allows attackers to use expired certificates that should have been rejected, potentially enabling unauthorized access control configurations.
Attack Vector
The attack vector is local, requiring an attacker to have access to the system where Fast DDS is deployed. The attacker can exploit this vulnerability by:
- Obtaining or creating an expired PermissionsCA certificate that was previously valid
- Using this expired certificate to sign governance or permissions documents
- Presenting these signed documents to the Fast DDS access control plugin
- The plugin validates only the S/MIME signature and accepts the expired certificate as valid
The vulnerability can also cause system crashes when a non-self-signed PermissionsCA with a full certificate chain is processed, as the implementation does not properly handle this scenario.
The vulnerable code paths are documented in the Permissions.cpp validation logic and the PKIDH.cpp authentication handler.
Detection Methods for CVE-2025-24807
Indicators of Compromise
- Presence of expired PermissionsCA certificates in DDS security configuration directories
- Unexpected acceptance of governance or permissions documents signed by expired certificates
- Application crashes related to certificate chain processing in Fast DDS security modules
- Log entries indicating successful authentication with previously expired credentials
Detection Strategies
- Monitor Fast DDS applications for certificate validation events and cross-reference with known certificate expiration dates
- Implement certificate inventory management to track all PermissionsCA certificates and their validity periods
- Configure logging at the DEBUG level for Fast DDS security modules to capture certificate validation details
- Use runtime application self-protection (RASP) tools to detect anomalous certificate processing behavior
Monitoring Recommendations
- Enable comprehensive logging for the Fast DDS security access control plugin
- Set up alerts for application crashes in the security authentication module (PKIDH.cpp)
- Implement periodic audits of all certificates used in DDS security configurations
- Monitor for any modifications to governance and permissions configuration files
How to Mitigate CVE-2025-24807
Immediate Actions Required
- Upgrade eProsima Fast DDS to a patched version: 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, or 3.2.0
- Audit all PermissionsCA certificates currently in use to ensure none are expired
- Verify that all certificates in the trust chain are valid and properly configured
- Review governance and permissions documents to ensure they are signed by valid, non-expired certificates
Patch Information
eProsima has released security patches across multiple version branches to address this vulnerability. The fix implements proper full chain validation for PermissionsCA certificates and adds expiration date verification. Detailed information about the fix is available in the GitHub Pull Request #5530.
Patched versions include:
- Version 2.6.10 for the 2.6.x branch
- Version 2.10.7 for the 2.10.x branch
- Version 2.14.5 for the 2.14.x branch
- Version 3.0.2 for the 3.0.x branch
- Version 3.1.2 for the 3.1.x branch
- Version 3.2.0 for the 3.2.x branch
For complete security advisory details, refer to the GitHub Security Advisory GHSA-w33g-jmm2-8983.
Workarounds
- Ensure all PermissionsCA certificates are self-signed to avoid crashes related to full chain processing
- Implement certificate lifecycle management to automatically rotate certificates before expiration
- Add external validation mechanisms to verify certificate expiration before deploying to Fast DDS
- Consider network segmentation to limit local access to systems running Fast DDS with security plugins enabled
# Check Fast DDS version and update
# Verify current installation version
fastdds --version
# Update to patched version using package manager (example for apt)
sudo apt update
sudo apt install fastdds=3.2.0
# Verify certificate expiration dates in your configuration
openssl x509 -in /path/to/PermissionsCA.pem -noout -dates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
