PT-2020-12023 · Mobile Industrial Robots A/S+3 · Mir100+10

Alias Robotics

Published

2020-06-24

Updated

2021-09-14

CVE-2020-10274

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

Fix

Information Disclosure

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-330

Related Identifiers

CVE-2020-10274

Affected Products

Mir100

Er-Flex Firmware

Er-Lite Firmware

Er-One Firmware

Er200 Firmware

Mir1000 Firmware

Mir100 Firmware

Mir200 Firmware

Mir250 Firmware

Mir500 Firmware

Uvd Firmware

PT-2020-12023 · Mobile Industrial Robots A/S+3 · Mir100+10

CVE-2020-10274

Weakness Enumeration

Related Identifiers

Affected Products

References · 6