CVE-2024-30917 is a medium-severity vulnerability identified in eProsima FastDDS, an open-source implementation of the Data Distribution Service (DDS) protocol widely used in real-time distributed systems such as robotics, autonomous vehicles, and industrial automation. The vulnerability exists in versions 2.14.0 and earlier within the DurabilityService Quality of Service (QoS) component, specifically related to the handling of the history_depth parameter. This parameter controls how many past samples are stored and delivered to late-joining subscribers. Improper validation or handling of a crafted history_depth value by a local attacker can lead to denial of service conditions, such as application crashes or resource exhaustion, impacting system availability. Additionally, the flaw may allow the attacker to access sensitive information, although the exact nature and scope of this data exposure are not detailed. Exploitation requires local access with low privileges and does not require user interaction, making it a concern for environments where multiple users or processes share the same system. The vulnerability is tracked under CWE-229 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-922 (Incomplete Recovery from Failed Resource Allocation), indicating issues with parameter validation and resource management. No public exploits or patches are currently available, underscoring the need for proactive mitigation. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability.

The primary impact of CVE-2024-30917 is denial of service, which can disrupt the operation of distributed systems relying on FastDDS for real-time data exchange. This can lead to system crashes, degraded performance, or unavailability of critical communication channels, potentially affecting mission-critical applications in robotics, autonomous vehicles, industrial control, and defense systems. The potential exposure of sensitive information, while not fully detailed, raises concerns about confidentiality breaches in environments where FastDDS handles sensitive or proprietary data. Organizations deploying FastDDS in multi-user or multi-process environments face increased risk due to the local attack requirement but low privilege needed. The disruption of availability can have cascading effects on operational continuity, safety, and reliability, especially in sectors where real-time data integrity and timeliness are paramount. Although no known exploits exist currently, the vulnerability's presence in widely used middleware means that attackers with local access could leverage it to degrade system performance or extract information, emphasizing the need for vigilance.

To mitigate CVE-2024-30917, organizations should first identify all deployments of eProsima FastDDS version 2.14.0 or earlier within their environments. Restrict local access to systems running FastDDS to trusted users and processes only, minimizing the risk of local exploitation. Implement strict access controls and user privilege management to prevent unauthorized local access. Monitor system logs and application behavior for signs of abnormal crashes or resource exhaustion related to the DurabilityService QoS component. Where possible, apply runtime protections such as sandboxing or containerization to isolate FastDDS processes and limit the impact of potential DoS attacks. Engage with eProsima or the FastDDS community to track the release of patches or updates addressing this vulnerability and plan timely upgrades. Additionally, conduct code reviews or static analysis on custom configurations or extensions involving the history_depth parameter to ensure proper validation and handling. Consider implementing network segmentation and endpoint security controls to reduce the attack surface and detect anomalous local activity. Finally, prepare incident response plans that include scenarios involving FastDDS service disruptions.