SB2018101904 - Multiple vulnerabilities in Vecna VGo Celia
Published: October 19, 2018
Security Bulletin ID
SB2018101904
Severity
Low
Patch available
NO
Number of vulnerabilities
3
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-8858)
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.The weakness exists due to insufficiently protected credentials. An adjacent attacker can recover WiFi passwords that the robot uses to connect to an organization's internal network or the XMPP credentials that the robot owner uses to connect to the device from remote locations.
2) Improper access control (CVE-ID: CVE-2018-17931)
The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.The weakness exists due to improper access control. An adjacent attacker can plug in a USB thumb drive into a robot, cause the robot's firmware to execute a file hosted on the USB stick (/config/startup.script) with root privileges, giving the attacker the opportunity to hijack the device.
3) Improper authorization (CVE-ID: CVE-2018-17933)
The vulnerability allows an adjacent attacker to bypass authorization on the target system.The weakness exists in the XMPP client due to improper authorization. An adjacent attacker can access telepresence robot's internal functions and execute arbitrary commands.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.