Vulnerability Details : CVE-2020-10272
Potential exploit
MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph without any sort of authentication. This allows attackers with access to the internal wireless and wired networks to take control of the robot seamlessly. In combination with CVE-2020-10269 and CVE-2020-10271, this flaw allows malicious actors to command the robot at desire.
Products affected by CVE-2020-10272
- cpe:2.3:o:aliasrobotics:mir100_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:aliasrobotics:mir200_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:aliasrobotics:mir250_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:aliasrobotics:mir500_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:aliasrobotics:mir1000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mobile-industrial-robotics:er200_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:enabled-robotics:er-lite_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:enabled-robotics:er-flex_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:enabled-robotics:er-one_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:uvd-robots:uvd_robots_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-10272
1.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-10272
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
10.0
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
Alias Robotics S.L. | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-10272
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by:
- cve@aliasrobotics.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2020-10272
-
https://github.com/aliasrobotics/RVD/issues/2554
RVD#2554: MiR ROS computational graph presents no authentication mechanisms · Issue #2554 · aliasrobotics/RVD · GitHubExploit;Third Party Advisory
Jump to