fkie_cve-2020-10266
Vulnerability from fkie_nvd
Published
2020-04-06 12:15
Modified
2024-11-21 04:55
Severity ?
Summary
UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.
References
▶ | URL | Tags | |
---|---|---|---|
cve@aliasrobotics.com | https://github.com/aliasrobotics/RVD/issues/1487 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/aliasrobotics/RVD/issues/1487 | Third Party Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
universal-robots | ur\+ | - | |
universal-robots | ur10 | - | |
universal-robots | ur3 | - | |
universal-robots | ur5 | - |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:universal-robots:ur\\+:-:*:*:*:*:*:*:*", "matchCriteriaId": "91FE81D2-B3F6-4323-A765-CE44D324DBD9", "vulnerable": true } ], "negate": false, "operator": "OR" }, { "cpeMatch": [ { "criteria": "cpe:2.3:h:universal-robots:ur10:-:*:*:*:*:*:*:*", "matchCriteriaId": "07EAD156-50AB-4402-A42B-3E536AE99C32", "vulnerable": false }, { "criteria": "cpe:2.3:h:universal-robots:ur3:-:*:*:*:*:*:*:*", "matchCriteriaId": "FEBB3217-A74E-4EF2-BD4B-3964E57BC759", "vulnerable": false }, { "criteria": "cpe:2.3:h:universal-robots:ur5:-:*:*:*:*:*:*:*", "matchCriteriaId": "304BF507-9AE5-4A15-B037-32115093C73C", "vulnerable": false } ], "negate": false, "operator": "OR" } ], "operator": "AND" } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand." }, { "lang": "es", "value": "UR+ (Universal Robots+), es una plataforma de vendedores de componentes de hardware y software para robots de Universal Robots. Cuando instalamos cualquiera de estos componentes en los robots (por ejemplo, en el UR10), no se realizan comprobaciones de integridad. Adem\u00e1s, el SDK para hacer tales componentes puede ser obtenido f\u00e1cilmente desde Universal Robots. Un atacante podr\u00eda explotar este fallo al dise\u00f1ar un componente personalizado con el SDK, llevando a cabo ataques de tipo Person-In-The-Middle (PITM) y enviando el componente dise\u00f1ado maliciosamente seg\u00fan se requiera." } ], "id": "CVE-2020-10266", "lastModified": "2024-11-21T04:55:05.880", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV30": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cve@aliasrobotics.com", "type": "Secondary" } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-04-06T12:15:12.957", "references": [ { "source": "cve@aliasrobotics.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/aliasrobotics/RVD/issues/1487" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/aliasrobotics/RVD/issues/1487" } ], "sourceIdentifier": "cve@aliasrobotics.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-353" } ], "source": "cve@aliasrobotics.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-345" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…