Multiple vulnerabilities in Mobile Industrial Robots Vehicles and MiR Fleet Software



Published: 2021-10-11
Risk High
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2017-7184
CVE-2017-18255
CVE-2020-10271
CVE-2020-10272
CVE-2020-10273
CVE-2020-10276
CVE-2020-10277
CVE-2020-10278
CVE-2020-10279
CVE-2020-10280
CWE-ID CWE-122
CWE-190
CWE-306
CWE-311
CWE-284
CWE-276
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
MiR Fleet
Hardware solutions / Firmware

MiR1000
Hardware solutions / Firmware

MiR500
Hardware solutions / Firmware

MiR250
Hardware solutions / Firmware

MiR200
Hardware solutions / Firmware

MiR100
Hardware solutions / Firmware

Vendor Mobile Industrial Robots

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU6184

Risk: Low

CVSSv3.1: 8.1 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7184

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system with escalated privileges.

The vulnerability exists due to boundary error in xfrm_replay_verify_len() function in net/xfrm/xfrm_user.c in Linux kernel when validating data after an XFRM_MSG_NEWAE update. A local use can trigger heap-based buffer overflow by leveraging the CAP_NET_ADMIN capability and execute arbitrary code on the target system with root privileges.

Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.

This vulnerability was demonstrated during the Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU11519

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18255

CWE-ID: CWE-190 - Integer Overflow or Wraparound

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists due to improper validation of the input value from userspace when using the perf_cpu_time_max_percent_handler function, as defined in the kernel/events/core.c source code file. A local attacker can send specially crafted input that contains large values, trigger integer overflow and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Exposure of Resource to Wrong Sphere

EUVDB-ID: #VU57186

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10271

CWE-ID: -

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to two APIs to the Robot Operating System (ROS) used in MiR robots are accessible from both wired and wireless network interfaces. A remote attacker can control of the robot, cause a denial of service (DoS) condition and exfiltrate data over the web interface. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://github.com/aliasrobotics/RVD/issues/2555
http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Missing Authentication for Critical Function

EUVDB-ID: #VU57187

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10272

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to Robot Operating System (ROS) default packages are used, which expose the computational graph without any authentication. A remote attacker on the local network can take control of the robot.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2554

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Missing Encryption of Sensitive Data

EUVDB-ID: #VU57188

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10273

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing encryption of sensitive data. A local attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2560

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper access control

EUVDB-ID: #VU57189

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10276

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to MiR robots shipped before June 2020 had default passwords set for the SICK safety PLC. A remote attacker on the local network can use the default credentials to manipulate the safety PLC, effectively disabling the emergency stop function. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2558

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper access control

EUVDB-ID: #VU57190

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10277

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the ability to boot from USB is an insecure default configuration that is changeable by integrators. An attacker with physical access can abuse this functionality to manipulate or exfiltrate data stored on the robot’s hard drive.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2562

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper access control

EUVDB-ID: #VU57191

Risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10278

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows an attacker with physical access to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the lack of a BIOS password is an insecure default configuration, changeable by integrators.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2561

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Incorrect default permissions

EUVDB-ID: #VU57192

Risk: Low

CVSSv3.1: 7.3 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10279

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions. A local attacker with access to the robot operating system (ROS) can perform privilege escalation or cause denial-of-service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2569

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Input validation error

EUVDB-ID: #VU57193

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10280

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Apache server. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MiR Fleet: before 2.10.2.1

MiR1000: before 2.10.2.1

MiR500: before 2.10.2.1

MiR250: before 2.10.2.1

MiR200: before 2.10.2.1

MiR100: before 2.10.2.1

CPE2.3 External links

http://us-cert.cisa.gov/ics/advisories/icsa-21-280-02
http://github.com/aliasrobotics/RVD/issues/2568

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###