Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-10274— RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)

EPSS 0.28% · P51
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-10274

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)
Source: NVD (National Vulnerability Database)
Vulnerability Description
The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mobile Industrial Robots MiR100 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mobile Industrial Robots MiR100是MiR的一个应用软件。一款安全、经济高效的移动机器人,可快速实现内部运输和物流的自动化。 Mobile Industrial Robots MiR100存在安全特征问题漏洞。攻击者可利用该漏洞(以及CNNVD-202006-1665)连接到机器人网络,获取全部存储的数据以及机器人数据库中的相关元数据。以下产品及版本受到影响:使用2.8.1.1及之前版本固件的Mobile Industrial Robots MiR100;Mobile Indu
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Mobile Industrial Robots A/SMiR100 v2.8.1.1 and before -

II. Public POCs for CVE-2020-10274

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2020-10274

登录查看更多情报信息。

Same Patch Batch · Mobile Industrial Robots A/S · 2020-06-24 · 12 CVEs total

CVE-2020-10269RVD#2566: Hardcoded Credentials on MiRX00 wireless Access Point
CVE-2020-10270RVD#2557: Hardcoded Credentials on MiRX00 Control Dashboard
CVE-2020-10271RVD#2555: MiR ROS computational graph is exposed to all network interfaces, including poor
CVE-2020-10272RVD#2554: MiR ROS computational graph presents no authentication mechanisms
CVE-2020-10273RVD#2560: Unprotected intellectual property in Mobile Industrial Robots (MiR) controllers
CVE-2020-10275RVD#2565: Weak token generation for the REST API.
CVE-2020-10276RVD#2558: Default credentials on SICK PLC allows disabling safety features
CVE-2020-10277RVD#2562: Booting from a live image leads to exfiltration of sensible information and priv
CVE-2020-10278RVD#2561: Unprotected BIOS allows user to boot from live OS image.
CVE-2020-10279RVD#2569: Insecure operating system defaults in MiR robots
CVE-2020-10280RVD#2568: Apache server is vulnerable to a DoS

IV. Related Vulnerabilities

Same product: MiR100
Same vendor: Mobile Industrial Robots A/S
Same weakness: CWE-200

V. Comments for CVE-2020-10274

No comments yet

Leave a comment