1. Home
  2. CVE Database
  3. CVE-2018-17176
HIGH · 7.5

CVE-2018-17176

A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be repla...

Vulnerability Description

A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
NeatoroboticsBotvac D4 Connected Firmware2.2.0
NeatoroboticsBotvac D4 Connected-
NeatoroboticsBotvac D6 Connected Firmware2.2.0
NeatoroboticsBotvac D6 Connected-
NeatoroboticsBotvac D7 Connected Firmware2.2.0
NeatoroboticsBotvac D7 Connected-

Related Weaknesses (CWE)

CWE-294

References

FAQ

What is CVE-2018-17176?

CVE-2018-17176 is a vulnerability with a CVSS score of 7.5 (HIGH). A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be repla...

How severe is CVE-2018-17176?

CVE-2018-17176 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-17176?

Check the references section above for vendor advisories and patch information. Affected products include: Neatorobotics Botvac D4 Connected Firmware, Neatorobotics Botvac D4 Connected, Neatorobotics Botvac D6 Connected Firmware, Neatorobotics Botvac D6 Connected, Neatorobotics Botvac D7 Connected Firmware.