Victor Mayoral Vilches

**Name of the Vulnerable Software and Affected Versions** Universal Robots controller (affected versions not specified) **Description** The issue allows a malicious actor to compromise the system by creating a custom URCap, which is a zip file containing Java-powered applications. These URCaps can be executed by the Universal Robots controller without any permission restrictions. The controller's API provides many primitives that can be used to compromise the overall robot operations. A proof of concept demonstrates how a malicious actor could create such a URCap, which when deployed by the user, either intentionally or unintentionally, can compromise the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IRC5 (affected versions not specified) **Description** The issue allows unauthorized access to the FTP server on port 21. When attempting to gain access, a request for a username and password is made, but any non-empty input is accepted for these fields. **Recommendations** For IRC5, as a temporary workaround, consider restricting access to the FTP server on port 21 until a proper authentication mechanism is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xArm controller (affected versions not specified) **Description** The authentication implementation has very low entropy, making it susceptible to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned, so the information cannot be provided. **Description** The main user account has restricted privileges but is in the sudoers group. There is no mechanism in place to prevent the use of `sudo su` or `sudo -i`, which can be used to gain unrestricted access to sensitive files, encryption, or issue orders that disrupt robot operation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ABB IRC5 family with UAS service enabled (affected versions not specified) **Description** The issue concerns default credentials that can be easily found in publicly available manuals for the ABB IRC5 family with UAS service enabled. Although intended to facilitate setup, research has shown that multiple production systems are using these default credentials, posing a significant exposure risk. It is recommended that future deployments should require users to change these defaults to enhance security. **Recommendations** For the ABB IRC5 family with UAS service enabled, consider changing the default credentials to custom ones as a mitigation measure. As a temporary workaround, restrict access to systems using the default credentials until custom credentials can be set. Force users to change the default credentials during the initial setup of future deployments to minimize the risk of exposure.

**Name of the Vulnerable Software and Affected Versions** MiR controllers versions 2.8.1.1 and earlier **Description** The issue concerns the lack of encryption or protection for intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network to retrieve and easily exfiltrate all installed intellectual property and data, especially when combined with other flaws. **Recommendations** For versions 2.8.1.1 and earlier, consider restricting access to the robot and its network to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the installation of sensitive intellectual property artifacts on the robots. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

**Name of the Vulnerable Software and Affected Versions** No specific software name or affected versions are mentioned in the provided descriptions. **Description** The issue concerns the generation of access tokens for a REST API, which are directly derived from publicly available default credentials for the web interface. Given a `USERNAME` and a `PASSWORD`, the token string is generated using base64(USERNAME:sha256(PASSWORD)). This allows an unauthorized attacker inside the network to compute the token and interact with the REST API, potentially leading to data exfiltration, infiltration, or deletion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to the lack of a mechanism to prevent booting from a live OS image, which can lead to the extraction of sensitive files, such as the shadow file, or privilege escalation by manually adding a new user with sudo privileges on the machine. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiR's Computer (affected versions not specified) **Description** The BIOS onboard MiR's Computer is not protected by a password, allowing a malicious operator to modify settings such as boot order. This can be leveraged to boot from a Live Image. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiR robot controllers (central computation unit) version Ubuntu 16.04.2 **Description** The MiR robot controllers' central computation unit uses Ubuntu 16.04.2, an operating system initially designed for desktop use, which presents insecure defaults for robots. These insecurities include a way for users to escalate their access beyond what they were granted via file creation, access race conditions, insecure home directory configurations, and defaults that facilitate Denial of Service (DoS) attacks. **Recommendations** For Ubuntu 16.04.2, consider updating to a newer version of the operating system to address the insecure defaults. As a temporary workaround, restrict access to sensitive files and directories to minimize the risk of access escalation and Denial of Service (DoS) attacks. Additionally, review and secure home directory configurations to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Safety PLC (affected versions not specified) **Description** The password for the safety PLC is the default and easily accessible, allowing a manipulated program to be uploaded, which can disable the emergency stop when an object is too close to the robot. This issue does not affect navigation or components dependent on the laser scanner, making it difficult to detect before an incident occurs. However, the laser scanner configuration can also be affected, further altering the safety of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiR100 (affected versions not specified) MiR200 (affected versions not specified) MiR250 (affected versions not specified) MiR500 (affected versions not specified) MiR1000 (affected versions not specified) **Description** A wireless interface in certain MiR fleet vehicles comes pre-configured in WiFi Master (Access Point) mode with default and widely known SSID and passwords. This information has been available in past User Guides and manuals distributed by the vendor. The issue has been confirmed in MiR100 and MiR200, and it may also apply to other models. **Recommendations** For MiR100, consider changing the default SSID and password to secure the wireless Access Point. For MiR200, update the wireless interface configuration to use unique and secure SSID and passwords. For MiR250, MiR500, and MiR1000, if the issue applies, change the default wireless Access Point settings to secure credentials. As a temporary workaround, consider disabling the WiFi Master mode until secure configurations can be implemented.

**Name of the Vulnerable Software and Affected Versions** MiR100 (affected versions not specified) MiR200 (affected versions not specified) MiR250 (affected versions not specified) MiR500 (affected versions not specified) MiR1000 (affected versions not specified) **Description** The issue allows access to the Control Dashboard on a hardcoded IP address through wired and wireless interfaces within the MiR fleet. Default credentials for the wireless interface are well-known and widely spread, and this information is also available in past User Guides and manuals distributed by the vendor. This flaw enables cyber attackers to remotely take control of the robot and use the default user interfaces created by MiR, making attacks available to entry-level attackers. More elaborate attacks can be established by clearing authentication and sending network requests directly. **Recommendations** For MiR100, consider disabling the default user interfaces until a fix is available. For MiR200, restrict access to the Control Dashboard on the hardcoded IP address to minimize the risk of exploitation. For MiR250, MiR500, and MiR1000, if the flaw applies, avoid using the default credentials and consider implementing custom authentication mechanisms. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiR100, MiR200 and other MiR robots (affected versions not specified) **Description** The issue is related to the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces. This exposure is due to a bad setup and can be exploited by malicious operators to take control of the ROS logic and, consequently, the complete robot. The ROS computational graph can be accessed fully from the wired exposed ports. In combination with other flaws, the computational graph can also be fetched and interacted with from wireless networks. **Recommendations** For MiR100, MiR200 and other MiR robots, appropriately configure ROS to mitigate the issue. Apply custom patches as appropriate to secure the ROS computational graph. Restrict access to the wired exposed ports to minimize the risk of exploitation. Consider disabling unnecessary network interfaces to reduce the attack surface until a proper configuration or patch is applied.

MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph without any sort of authentication. This allows attackers with access to the internal wireless and wired networks to take control of the robot seamlessly. In combination with CVE-2020-10269 and CVE-2020-10271, this flaw allows malicious actors to command the robot at desire.

**Name of the Vulnerable Software and Affected Versions** Kuka (affected versions not specified) **Description** A critical issue allows for the termination of essential services from the Windows Task Manager, which can halt the manipulator's operation. After such an event, a re-calibration of the brakes is required, which can only be performed by a Kuka technician or using Kuka-issued calibration hardware, leading to increased downtime and operational costs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UR+ (Universal Robots+) (affected versions not specified) **Description** The issue concerns the lack of integrity checks when installing components in Universal Robots robots through the UR+ platform. An attacker can exploit this by crafting a custom component using the easily obtainable SDK, potentially leading to Person-In-The-Middle (PITM) attacks. The attacker could then ship the malicious component, posing a risk to the robots' security. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.