CVE-2020-10270 — CRITICAL (9.8)

Q: How severe is CVE-2020-10270?

CVE-2020-10270 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-10270?

Check the references section above for vendor advisories and patch information. Affected products include: Aliasrobotics Mir100 Firmware, Aliasrobotics Mir100, Aliasrobotics Mir200 Firmware, Aliasrobotics Mir200, Aliasrobotics Mir250 Firmware.

Vulnerability Description

Out of the wired and wireless interfaces within MiR100, MiR200 and other vehicles from the MiR fleet, it's possible to access the Control Dashboard on a hardcoded IP address. Credentials to such wireless interface default to well known and widely spread users (omitted) and passwords (omitted). This information is also available in past User Guides and manuals which the vendor distributed. This flaw allows cyber attackers to take control of the robot remotely and make use of the default user interfaces MiR has created, lowering the complexity of attacks and making them available to entry-level attackers. More elaborated attacks can also be established by clearing authentication and sending network requests directly. We have confirmed this flaw in MiR100 and MiR200 but according to the vendor, it might also apply to MiR250, MiR500 and MiR1000.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Aliasrobotics	Mir100 Firmware	<= 2.8.1.1
Aliasrobotics	Mir100	-
Aliasrobotics	Mir200 Firmware	<= 2.8.1.1
Aliasrobotics	Mir200	-
Aliasrobotics	Mir250 Firmware	<= 2.8.1.1
Aliasrobotics	Mir250	-
Aliasrobotics	Mir500 Firmware	<= 2.8.1.1
Aliasrobotics	Mir500	-
Aliasrobotics	Mir1000 Firmware	<= 2.8.1.1
Aliasrobotics	Mir1000	-
Mobile-Industrial-Robotics	Er200 Firmware	<= 2.8.1.1
Mobile-Industrial-Robotics	Er200	-
Enabled-Robotics	Er-Lite Firmware	<= 2.8.1.1
Enabled-Robotics	Er-Lite	-
Enabled-Robotics	Er-Flex Firmware	<= 2.8.1.1
Enabled-Robotics	Er-Flex	-
Enabled-Robotics	Er-One Firmware	<= 2.8.1.1
Enabled-Robotics	Er-One	-
Uvd-Robots	Uvd Robots Firmware	<= 2.8.1.1
Uvd-Robots	Uvd Robots	-

Related Weaknesses (CWE)

CWE-798

References

https://github.com/aliasrobotics/RVD/issues/2557ExploitThird Party Advisory
https://github.com/aliasrobotics/RVD/issues/2557ExploitThird Party Advisory

FAQ

What is CVE-2020-10270?

CVE-2020-10270 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Out of the wired and wireless interfaces within MiR100, MiR200 and other vehicles from the MiR fleet, it's possible to access the Control Dashboard on a hardcoded IP address. Credentials to such wirel...

How severe is CVE-2020-10270?

CVE-2020-10270 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-10270?

Check the references section above for vendor advisories and patch information. Affected products include: Aliasrobotics Mir100 Firmware, Aliasrobotics Mir100, Aliasrobotics Mir200 Firmware, Aliasrobotics Mir200, Aliasrobotics Mir250 Firmware.