#VU15426 Improper access control in VGo Celia
Vulnerability identifier: #VU15426
Vulnerability risk: Low
CVSSv3.1: 8.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
VGo Celia
Hardware solutions /
Firmware
Vendor: Vecna Technologies
Description
The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. An adjacent attacker can plug in a USB thumb drive into a robot, cause the robot's firmware to execute a file hosted on the USB stick (/config/startup.script) with root privileges, giving the attacker the opportunity to hijack the device.
Mitigation
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
Vulnerable software versions
VGo Celia: 1.4.2 - 3.0.3.52164
External links
http://go.zingbox.com/rs/562-ZPO-907/images/Zingbox%20Whitepaper%20-%20Telepresence%20Robot%20Vulnerabilities.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
