Details of VAR-202006-0268

ID

VAR-202006-0268

CVE

CVE-2020-10272

TITLE

plural MiR Vulnerability regarding lack of authentication for critical features in the product

Trust: 0.8

sources: JVNDB: JVNDB-2020-007374

DESCRIPTION

MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph without any sort of authentication. This allows attackers with access to the internal wireless and wired networks to take control of the robot seamlessly. In combination with CVE-2020-10269 and CVE-2020-10271, this flaw allows malicious actors to command the robot at desire. plural MiR The product contains vulnerabilities related to lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

Trust: 1.62

sources: NVD: CVE-2020-10272 // JVNDB: JVNDB-2020-007374

IOT TAXONOMY

category:

['industrial device']

sub_category:

robot

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	aliasrobotics	model:	mir250	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	enabled robotics	model:	er-flex	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	aliasrobotics	model:	mir500	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	aliasrobotics	model:	mir100	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	enabled robotics	model:	er-lite	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	aliasrobotics	model:	mir200	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	aliasrobotics	model:	mir1000	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	enabled robotics	model:	er-one	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	mobile industrial robotics	model:	er200	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	uvd robots	model:	uvd robots	scope:	lte	version:	2.8.1.1	Trust: 1.0
vendor:	easyrobotics	model:	er-flex	scope:	-	version:	-	Trust: 0.8
vendor:	easyrobotics	model:	er-lite	scope:	-	version:	-	Trust: 0.8
vendor:	easyrobotics	model:	er-one	scope:	-	version:	-	Trust: 0.8
vendor:	easyrobotics	model:	er200	scope:	-	version:	-	Trust: 0.8
vendor:	mobile industrial robots a s	model:	mir100	scope:	-	version:	-	Trust: 0.8
vendor:	mobile industrial robots a s	model:	mir1000	scope:	-	version:	-	Trust: 0.8
vendor:	mobile industrial robots a s	model:	mir200	scope:	-	version:	-	Trust: 0.8
vendor:	mobile industrial robots a s	model:	mir250	scope:	-	version:	-	Trust: 0.8
vendor:	mobile industrial robots a s	model:	mir500	scope:	-	version:	-	Trust: 0.8
vendor:	uvd robots	model:	uvd	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-007374 // NVD: CVE-2020-10272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10272
value:	CRITICAL
Trust: 1.0
cve@aliasrobotics.com:	CVE-2020-10272
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-007374
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202006-1663
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-10272
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007374
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

nvd@nist.gov:	CVE-2020-10272
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@aliasrobotics.com:	CVE-2020-10272
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-007374
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-007374 // CNNVD: CNNVD-202006-1663 // NVD: CVE-2020-10272 // NVD: CVE-2020-10272

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.8

sources: JVNDB: JVNDB-2020-007374 // NVD: CVE-2020-10272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1663

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202006-1663

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007374

PATCH

title:	Top Page	url:	https://www.easyrobotics.biz/	Trust: 0.8
title:	Top Page	url:	https://www.mobile-industrial-robots.com/en/	Trust: 0.8
title:	Top Page	url:	http://www.uvd-robots.com/	Trust: 0.8

sources: JVNDB: JVNDB-2020-007374

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10272	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-007374	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.3344	Trust: 0.6
db:	CS-HELP	id:	SB2021101107	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-280-02	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1663	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-007374 // CNNVD: CNNVD-202006-1663 // NVD: CVE-2020-10272

REFERENCES

url:	https://github.com/aliasrobotics/rvd/issues/2554	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10272	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10272	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021101107	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-280-02	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3344	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-007374 // CNNVD: CNNVD-202006-1663 // NVD: CVE-2020-10272

CREDITS

Victor Mayoral Vilches of Alias Robotics reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202006-1663

SOURCES

db:	OTHER	id:	-
db:	JVNDB	id:	JVNDB-2020-007374
db:	CNNVD	id:	CNNVD-202006-1663
db:	NVD	id:	CVE-2020-10272

LAST UPDATE DATE

2025-01-30T21:44:48.070000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2020-007374	date:	2020-08-11T00:00:00
db:	CNNVD	id:	CNNVD-202006-1663	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2020-10272	date:	2024-11-21T04:55:06.683

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2020-007374	date:	2020-08-11T00:00:00
db:	CNNVD	id:	CNNVD-202006-1663	date:	2020-06-24T00:00:00
db:	NVD	id:	CVE-2020-10272	date:	2020-06-24T05:15:12.943