TROYANOSYVIRUS
Volver a CVEs

CVE-2020-10270

CRITICAL
9.8

Descripcion

Out of the wired and wireless interfaces within MiR100, MiR200 and other vehicles from the MiR fleet, it's possible to access the Control Dashboard on a hardcoded IP address. Credentials to such wireless interface default to well known and widely spread users (omitted) and passwords (omitted). This information is also available in past User Guides and manuals which the vendor distributed. This flaw allows cyber attackers to take control of the robot remotely and make use of the default user interfaces MiR has created, lowering the complexity of attacks and making them available to entry-level attackers. More elaborated attacks can also be established by clearing authentication and sending network requests directly. We have confirmed this flaw in MiR100 and MiR200 but according to the vendor, it might also apply to MiR250, MiR500 and MiR1000.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado6/24/2020
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0

Productos afectados

aliasrobotics:mir100aliasrobotics:mir1000aliasrobotics:mir1000_firmwarealiasrobotics:mir100_firmwarealiasrobotics:mir200aliasrobotics:mir200_firmwarealiasrobotics:mir250aliasrobotics:mir250_firmwarealiasrobotics:mir500aliasrobotics:mir500_firmwareenabled-robotics:er-flexenabled-robotics:er-flex_firmwareenabled-robotics:er-liteenabled-robotics:er-lite_firmwareenabled-robotics:er-oneenabled-robotics:er-one_firmwaremobile-industrial-robotics:er200mobile-industrial-robotics:er200_firmwareuvd-robots:uvd_robotsuvd-robots:uvd_robots_firmware

Debilidades (CWE)

CWE-798CWE-798

Referencias

https://github.com/aliasrobotics/RVD/issues/2557(cve@aliasrobotics.com)
https://github.com/aliasrobotics/RVD/issues/2557(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.