MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR's operations are centered around the framework (ROS).
Published 2020-06-24 05:15:13
Updated 2020-07-06 15:55:00
View at NVD,   CVE.org

Products affected by CVE-2020-10271

Exploit prediction scoring system (EPSS) score for CVE-2020-10271

0.43%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-10271

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.0
MEDIUM AV:N/AC:L/Au:N/C:P/I:N/A:N
10.0
2.9
NIST
10.0
CRITICAL CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
3.9
6.0
Alias Robotics S.L.
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2020-10271

  • The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
    Assigned by:
    • cve@aliasrobotics.com (Secondary)
    • nvd@nist.gov (Primary)

References for CVE-2020-10271

  • https://github.com/aliasrobotics/RVD/issues/2555
    RVD#2555: MiR ROS computational graph is exposed to all network interfaces, including poorly secured wireless networks and open wired ones · Issue #2555 · aliasrobotics/RVD · GitHub
    Exploit;Third Party Advisory
Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!