CVE-2020-10271 — CRITICAL (9.8)

Q: How severe is CVE-2020-10271?

CVE-2020-10271 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-10271?

Check the references section above for vendor advisories and patch information. Affected products include: Aliasrobotics Mir100 Firmware, Aliasrobotics Mir100, Aliasrobotics Mir200 Firmware, Aliasrobotics Mir200, Aliasrobotics Mir250 Firmware.

Vulnerability Description

MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR's operations are centered around the framework (ROS).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Aliasrobotics	Mir100 Firmware	<= 2.8.1.1
Aliasrobotics	Mir100	-
Aliasrobotics	Mir200 Firmware	<= 2.8.1.1
Aliasrobotics	Mir200	-
Aliasrobotics	Mir250 Firmware	<= 2.8.1.1
Aliasrobotics	Mir250	-
Aliasrobotics	Mir500 Firmware	<= 2.8.1.1
Aliasrobotics	Mir500	-
Aliasrobotics	Mir1000 Firmware	<= 2.8.1.1
Aliasrobotics	Mir1000	-
Mobile-Industrial-Robotics	Er200 Firmware	<= 2.8.1.1
Mobile-Industrial-Robotics	Er200	-
Enabled-Robotics	Er-Lite Firmware	<= 2.8.1.1
Enabled-Robotics	Er-Lite	-
Enabled-Robotics	Er-Flex Firmware	<= 2.8.1.1
Enabled-Robotics	Er-Flex	-
Enabled-Robotics	Er-One Firmware	<= 2.8.1.1
Enabled-Robotics	Er-One	-
Uvd-Robots	Uvd Robots Firmware	<= 2.8.1.1
Uvd-Robots	Uvd Robots	-

Related Weaknesses (CWE)

CWE-668

References

https://github.com/aliasrobotics/RVD/issues/2555ExploitThird Party Advisory
https://github.com/aliasrobotics/RVD/issues/2555ExploitThird Party Advisory

FAQ

What is CVE-2020-10271?

CVE-2020-10271 is a vulnerability with a CVSS score of 9.8 (CRITICAL). MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad se...

How severe is CVE-2020-10271?

CVE-2020-10271 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-10271?

Check the references section above for vendor advisories and patch information. Affected products include: Aliasrobotics Mir100 Firmware, Aliasrobotics Mir100, Aliasrobotics Mir200 Firmware, Aliasrobotics Mir200, Aliasrobotics Mir250 Firmware.