CVE-2023-47625 in Autopilot
Summary
by MITRE • 11/13/2023
PX4 autopilot is a flight control solution for drones. In affected versions a global buffer overflow vulnerability exists in the CrsfParser_TryParseCrsfPacket function in /src/drivers/rc/crsf_rc/CrsfParser.cpp:298 due to the invalid size check. A malicious user may create an RC packet remotely and that packet goes into the device where the _rcs_buf reads. The global buffer overflow vulnerability will be triggered and the drone can behave unexpectedly. This issue has been addressed in version 1.14.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/07/2023
The PX4 autopilot system represents a critical component in unmanned aerial vehicle control, serving as the primary flight control solution for drone operations across various commercial and military applications. This vulnerability exists within the CRSF (Crossfire Serial Protocol) receiver driver implementation where the CrsfParser_TryParseCrsfPacket function fails to properly validate packet sizes before processing. The flaw manifests as a global buffer overflow condition that occurs when maliciously crafted RC packets are transmitted to the drone's receiver module. The vulnerability stems from inadequate input validation mechanisms within the parsing logic, specifically at line 298 in the CrsfParser.cpp source file where the size check is insufficient to prevent buffer overrun scenarios. This particular implementation flaw allows attackers to exploit the protocol parsing function through remote transmission of malformed CRSF packets, bypassing normal operational boundaries that should protect the system from invalid data.
The technical exploitation of this vulnerability presents significant operational risks to drone systems that rely on PX4 autopilot functionality. When a maliciously crafted RC packet is received and processed by the vulnerable system, the buffer overflow condition triggers memory corruption within the global _rcs_buf buffer. This memory corruption can lead to unpredictable system behavior including loss of control authority, unexpected flight termination, or complete system crash. The remote nature of the attack means that adversaries can potentially compromise drone operations from distant locations without requiring physical access to the device. The vulnerability's impact extends beyond simple system instability as it creates opportunities for more sophisticated attacks that could manipulate flight parameters, disable safety mechanisms, or potentially cause physical damage to the aircraft. The issue has been properly addressed in version 1.14.0 of the PX4 autopilot software, which includes enhanced input validation and proper buffer size checking mechanisms.
Security practitioners should recognize this vulnerability as a classic example of CWE-121, which describes stack-based buffer overflow conditions, though in this case it manifests as a global buffer overflow due to the specific memory allocation pattern. The vulnerability also aligns with ATT&CK technique T1059.001, which covers command and scripting interpreter execution, as the corrupted memory state could potentially allow for code injection or execution manipulation. Organizations operating PX4-based drone systems must prioritize immediate upgrade to version 1.14.0 or later to mitigate this risk, as no effective workarounds exist for this particular vulnerability. The lack of available mitigations underscores the critical nature of this flaw and emphasizes the importance of maintaining current firmware versions. Security monitoring should include detection of anomalous CRSF packet patterns and unusual RC receiver behavior that might indicate exploitation attempts, particularly in environments where drone operations are conducted in potentially hostile networks.