PT-2018-13937 · Neato · Neato Botvac Connected+1

Published

2018-09-18

Updated

2021-06-17

CVE-2018-17177

CVSS v3.1

2.4

Low

Vector

AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Neato Botvac Connected version 2.2.0 Neato Botvac 85 version 1.2.1

Description An issue was discovered where static encryption is used for copying event logs and core dumps to a USB stick. These logs are RC4-encrypted with a 9-character password *^JEd4W!I that is obfuscated within a custom /bin/rc4 crypt binary.

Recommendations For Neato Botvac Connected version 2.2.0, consider disabling the use of static encryption for log copying until a secure method is implemented. For Neato Botvac 85 version 1.2.1, restrict access to the /bin/rc4 crypt binary to minimize the risk of exploitation. Avoid using the *^JEd4W!I password in any other security contexts to prevent potential abuse.

Exploit

Fix

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-326

Related Identifiers

CVE-2018-17177

Affected Products

Neato Botvac 85

Neato Botvac Connected

PT-2018-13937 · Neato · Neato Botvac Connected+1

CVE-2018-17177

Weakness Enumeration

Related Identifiers

Affected Products

References · 3