CVE-2020-10271 (GCVE-0-2020-10271)
Vulnerability from cvelistv5
Published
2020-06-24 04:40
Modified
2024-09-16 22:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR's operations are centered around the framework (ROS).
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mobile Industrial Robots A/S | MiR100 |
Version: v2.8.1.1 and before |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:40.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aliasrobotics/RVD/issues/2555"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MiR100",
"vendor": "Mobile Industrial Robots A/S",
"versions": [
{
"status": "affected",
"version": "v2.8.1.1 and before"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "V\u00edctor Mayoral Vilches, Alfonso Glera, Lander Usategui, Unai Ayucar, Xabier S\u00e1ez de C\u00e1mara (Alias Robotics)"
}
],
"datePublic": "2020-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR\u0027s operations are centered around the framework (ROS)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-24T04:40:18",
"orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
"shortName": "Alias"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aliasrobotics/RVD/issues/2555"
}
],
"source": {
"defect": [
"RVD#2555"
],
"discovery": "EXTERNAL"
},
"title": "RVD#2555: MiR ROS computational graph is exposed to all network interfaces, including poorly secured wireless networks and open wired ones",
"x_generator": {
"engine": "Robot Vulnerability Database (RVD)"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@aliasrobotics.com",
"DATE_PUBLIC": "2020-06-24T04:34:51 +00:00",
"ID": "CVE-2020-10271",
"STATE": "PUBLIC",
"TITLE": "RVD#2555: MiR ROS computational graph is exposed to all network interfaces, including poorly secured wireless networks and open wired ones"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MiR100",
"version": {
"version_data": [
{
"version_value": "v2.8.1.1 and before"
}
]
}
}
]
},
"vendor_name": "Mobile Industrial Robots A/S"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "V\u00edctor Mayoral Vilches, Alfonso Glera, Lander Usategui, Unai Ayucar, Xabier S\u00e1ez de C\u00e1mara (Alias Robotics)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR\u0027s operations are centered around the framework (ROS)."
}
]
},
"generator": {
"engine": "Robot Vulnerability Database (RVD)"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "critical",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/aliasrobotics/RVD/issues/2555",
"refsource": "CONFIRM",
"url": "https://github.com/aliasrobotics/RVD/issues/2555"
}
]
},
"source": {
"defect": [
"RVD#2555"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
"assignerShortName": "Alias",
"cveId": "CVE-2020-10271",
"datePublished": "2020-06-24T04:40:18.659462Z",
"dateReserved": "2020-03-10T00:00:00",
"dateUpdated": "2024-09-16T22:02:17.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-10271\",\"sourceIdentifier\":\"cve@aliasrobotics.com\",\"published\":\"2020-06-24T05:15:12.847\",\"lastModified\":\"2024-11-21T04:55:06.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR\u0027s operations are centered around the framework (ROS).\"},{\"lang\":\"es\",\"value\":\"MiR100, MiR200 y otros robots MiR usan los paquetes predeterminados del Robot Operating System (ROS) que exponen el gr\u00e1fico computacional a todas las interfaces de red, inal\u00e1mbricas y cableadas. Este es el resultado de una configuraci\u00f3n incorrecta y puede ser mitigado ajustando el ROS de forma apropiada y/o aplicando parches seg\u00fan sea apropiado. Actualmente, puede accederse completamente al gr\u00e1fico computacional del ROS desde los puertos expuestos cableados. En combinaci\u00f3n con otros fallos como CVE-2020-10269, el gr\u00e1fico computacional tambi\u00e9n puede ser recuperado e interactuado desde redes inal\u00e1mbricas. Esto permite a un operador malicioso tomar el control de la l\u00f3gica del ROS y, en consecuencia, del robot completo dado que las operaciones de MiR se centran en el framework (ROS)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"cve@aliasrobotics.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve@aliasrobotics.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:aliasrobotics:mir100_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"BBDEDA2D-26AB-4F23-B672-D0C89A7BEFB9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:aliasrobotics:mir100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0989373-02AB-4E05-BAC2-0522A641D73A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:aliasrobotics:mir200_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"78E261B1-C56F-4428-9D53-5BBCCACEAFCF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:aliasrobotics:mir200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BF40B1F-0DD2-4B8A-BFBA-A7E641DC3316\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:aliasrobotics:mir250_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"877EEDC4-E86F-420D-81C6-3F632C787003\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:aliasrobotics:mir250:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BD1AE2A0-D83D-441B-856B-7E6FAB065C0D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:aliasrobotics:mir500_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"335CA5FE-5AFD-4D49-9A88-1CD71C9281BE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:aliasrobotics:mir500:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F57611E0-5CB2-40FD-8420-ED13A1C4863F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:aliasrobotics:mir1000_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"6865A559-8CA9-4F51-AC43-35BDF5201B91\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:aliasrobotics:mir1000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04043B16-E401-4D2C-9812-71923CEA2716\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:mobile-industrial-robotics:er200_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"39BD42AA-95E1-4A02-BB9D-C54AE6BAF9B2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:mobile-industrial-robotics:er200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8A47E5E-7754-47EA-B02D-8A7F54124ED4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:enabled-robotics:er-lite_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"DF0E5CFB-6C15-4BB1-97D8-DD52F68190DD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:enabled-robotics:er-lite:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"472A560B-547D-4C9F-BE86-ED602FA32799\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:enabled-robotics:er-flex_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"D5528AFD-75DF-4296-9A29-4BD00AB76273\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:enabled-robotics:er-flex:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"654488E4-161E-40B5-9E0B-BE68F5F38E91\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:enabled-robotics:er-one_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"CD6E62F4-9C15-49AA-BFB7-81443D40B9B9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:enabled-robotics:er-one:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1BB77317-78C0-4800-8E1D-498979B6CB06\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:uvd-robots:uvd_robots_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.8.1.1\",\"matchCriteriaId\":\"A7452D74-36A5-4C87-AA20-8E9A80724EAA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:uvd-robots:uvd_robots:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FD4ACEB-1184-47AB-86E4-732DA183E8AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/aliasrobotics/RVD/issues/2555\",\"source\":\"cve@aliasrobotics.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/aliasrobotics/RVD/issues/2555\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…