CVE-2020-10271

high-risk
Published 2020-06-24

MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired. This is the result of a bad set up and can be mitigated by appropriately configuring ROS and/or applying custom patches as appropriate. Currently, the ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws such as CVE-2020-10269, the computation graph can also be fetched and interacted from wireless networks. This allows a malicious operator to take control of the ROS logic and correspondingly, the complete robot given that MiR's operations are centered around the framework (ROS).

Do I need to act?

-
0.40% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (10)

Mir100 Firmware
Mir200 Firmware
Mir250 Firmware
Mir500 Firmware
Mir1000 Firmware
Er200 Firmware
Er-Lite Firmware
Er-Flex Firmware
Er-One Firmware
Uvd Robots Firmware

Affected Vendors

Aliasrobotics Mobile-Industrial-Robotics Enabled-Robotics Uvd-Robots

References (2)

Exploit https://github.com/aliasrobotics/RVD/issues/2555
Exploit https://github.com/aliasrobotics/RVD/issues/2555
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 16/34 · Moderate