CVE-2020-10270
| Summary |
Out of the wired and wireless interfaces within MiR100, MiR200 and other vehicles from the MiR fleet, it's possible to access the Control Dashboard on a hardcoded IP address. Credentials to such wireless interface default to well known and widely spread users (omitted) and passwords (omitted). This information is also available in past User Guides and manuals which the vendor distributed. This flaw allows cyber attackers to take control of the robot remotely and make use of the default user interfaces MiR has created, lowering the complexity of attacks and making them available to entry-level attackers. More elaborated attacks can also be established by clearing authentication and sending network requests directly. We have confirmed this flaw in MiR100 and MiR200 but according to the vendor, it might also apply to MiR250, MiR500 and MiR1000.
|
| Publication Date |
June 24, 2020, 2:15 p.m. |
| Registration Date |
Jan. 26, 2021, 11:50 a.m. |
| Last Update |
Nov. 21, 2024, 1:55 p.m. |
|
CVSS3.1 : CRITICAL
|
| スコア |
9.8
|
| Vector |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 攻撃元区分(AV) |
ネットワーク |
| 攻撃条件の複雑さ(AC) |
低 |
| 攻撃に必要な特権レベル(PR) |
不要 |
| 利用者の関与(UI) |
不要 |
| 影響の想定範囲(S) |
変更なし |
| 機密性への影響(C) |
高 |
| 完全性への影響(I) |
高 |
| 可用性への影響(A) |
高 |
|
CVSS2.0 : MEDIUM
|
| Score |
5.0
|
| Vector |
AV:N/AC:L/Au:N/C:P/I:N/A:N |
| 攻撃元区分(AV) |
ネットワーク |
| 攻撃条件の複雑さ(AC) |
低 |
| 攻撃前の認証要否(Au) |
不要 |
| 機密性への影響(C) |
低 |
| 完全性への影響(I) |
なし |
| 可用性への影響(A) |
なし |
| Get all privileges. |
いいえ
|
| Get user privileges |
いいえ
|
| Get other privileges |
いいえ
|
| User operation required |
いいえ
|
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:aliasrobotics:mir100_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:aliasrobotics:mir100:-:*:*:*:*:*:*:* |
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:aliasrobotics:mir200_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:aliasrobotics:mir200:-:*:*:*:*:*:*:* |
| Configuration3 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:aliasrobotics:mir250_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:aliasrobotics:mir250:-:*:*:*:*:*:*:* |
| Configuration4 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:aliasrobotics:mir500_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:aliasrobotics:mir500:-:*:*:*:*:*:*:* |
| Configuration5 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:aliasrobotics:mir1000_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:aliasrobotics:mir1000:-:*:*:*:*:*:*:* |
| Configuration6 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:mobile-industrial-robotics:er200_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:mobile-industrial-robotics:er200:-:*:*:*:*:*:*:* |
| Configuration7 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:enabled-robotics:er-lite_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:enabled-robotics:er-lite:-:*:*:*:*:*:*:* |
| Configuration8 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:enabled-robotics:er-flex_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:enabled-robotics:er-flex:-:*:*:*:*:*:*:* |
| Configuration9 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:enabled-robotics:er-one_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:enabled-robotics:er-one:-:*:*:*:*:*:*:* |
| Configuration10 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:uvd-robots:uvd_robots_firmware:*:*:*:*:*:*:*:* |
|
2.8.1.1 |
|
|
| execution environment |
| 1 |
cpe:2.3:h:uvd-robots:uvd_robots:-:*:*:*:*:*:*:* |
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
複数の MiR 製品におけるハードコードされた認証情報の使用に関する脆弱性
| Title |
複数の MiR 製品におけるハードコードされた認証情報の使用に関する脆弱性
|
| Summary |
複数の MiR 製品には、ハードコードされた認証情報の使用に関する脆弱性が存在します。
|
| Possible impacts |
情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution |
ベンダ情報および参考情報を参照して適切な対策を実施してください。 |
| Publication Date |
June 24, 2020, midnight |
| Registration Date |
Aug. 11, 2020, 4:02 p.m. |
| Last Update |
Aug. 11, 2020, 4:02 p.m. |
Affected System
| UVD Robots |
|
UVD ファームウェア
|
| Mobile Industrial Robots A/S |
|
MiR100 ファームウェア
|
|
MiR1000 ファームウェア
|
|
MiR200 ファームウェア
|
|
MiR250 ファームウェア
|
|
MiR500 ファームウェア
|
| EasyRobotics |
|
ER-Flex ファームウェア
|
|
ER-Lite ファームウェア
|
|
ER-One ファームウェア
|
|
ER200 ファームウェア
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
| No |
Changed Details |
Date of change |
| 1 |
[2020年08月11日]
掲載 |
Aug. 11, 2020, 4:02 p.m. |