CVE-2018-17177

low-risk
Published 2018-09-18

An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.4/10 Low
PHYSICAL / LOW complexity

Affected Products (6)

Botvac D4 Connected Firmware
Botvac D6 Connected Firmware
Botvac D5 Connected Firmware
Botvac D7 Connected Firmware
Botvac D3 Connected Firmware
Botvac 85 Firmware

Affected Vendors

Neatorobotics

References (2)

Exploit https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuu...
Exploit https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuu...
23
/ 100
low-risk
Severity 10/34 · Low
Exploitability 0/34 · Minimal
Exposure 13/34 · Low