10

CVE-2020-10272

Exploit

MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph without any sort of authentication. This allows attackers with access to the internal wireless and wired networks to take control of the robot seamlessly. In combination with CVE-2020-10269 and CVE-2020-10271, this flaw allows malicious actors to command the robot at desire.

Data is provided by the National Vulnerability Database (NVD)
AliasroboticsMir100 Firmware Version <= 2.8.1.1
   AliasroboticsMir100 Version-
AliasroboticsMir200 Firmware Version <= 2.8.1.1
   AliasroboticsMir200 Version-
AliasroboticsMir250 Firmware Version <= 2.8.1.1
   AliasroboticsMir250 Version-
AliasroboticsMir500 Firmware Version <= 2.8.1.1
   AliasroboticsMir500 Version-
AliasroboticsMir1000 Firmware Version <= 2.8.1.1
   AliasroboticsMir1000 Version-
Enabled-roboticsEr-lite Firmware Version <= 2.8.1.1
   Enabled-roboticsEr-lite Version-
Enabled-roboticsEr-flex Firmware Version <= 2.8.1.1
   Enabled-roboticsEr-flex Version-
Enabled-roboticsEr-one Firmware Version <= 2.8.1.1
   Enabled-roboticsEr-one Version-
Uvd-robotsUvd Robots Firmware Version <= 2.8.1.1
   Uvd-robotsUvd Robots Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.47% 0.618
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
cve@aliasrobotics.com 10 3.9 6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.