Vulnerabilities > UVD Robots

DATE CVE VULNERABILITY TITLE RISK
2020-06-24 CVE-2020-10280 Improper Resource Shutdown or Release vulnerability in multiple products
The Apache server on port 80 that host the web interface is vulnerable to a DoS by spamming incomplete HTTP headers, effectively blocking the access to the dashboard.
7.5
2020-06-24 CVE-2020-10279 Insecure Default Initialization of Resource vulnerability in multiple products
MiR robot controllers (central computation unit) makes use of Ubuntu 16.04.2 an operating system, Thought for desktop uses, this operating system presents insecure defaults for robots.
9.8
2020-06-24 CVE-2020-10278 Improper Authentication vulnerability in multiple products
The BIOS onboard MiR's Computer is not protected by password, therefore, it allows a Bad Operator to modify settings such as boot order.
4.6
2020-06-24 CVE-2020-10277 There is no mechanism in place to prevent a bad operator to boot from a live OS image, this can lead to extraction of sensible files (such as the shadow file) or privilege escalation by manually adding a new user with sudo privileges on the machine. 6.4
2020-06-24 CVE-2020-10276 Use of Hard-coded Credentials vulnerability in multiple products
The password for the safety PLC is the default and thus easy to find (in manuals, etc.).
network
low complexity
mobile-industrial-robots easyrobotics uvd-robots CWE-798
critical
9.8
2020-06-24 CVE-2020-10275 Inadequate Encryption Strength vulnerability in multiple products
The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface.
network
low complexity
mobile-industrial-robots easyrobotics uvd-robots CWE-326
critical
9.8
2020-06-24 CVE-2020-10274 Use of Insufficiently Random Values vulnerability in multiple products
The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws).
7.1
2020-06-24 CVE-2020-10273 Cleartext Storage of Sensitive Information vulnerability in multiple products
MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots.
7.5
2020-06-24 CVE-2020-10272 Missing Authentication for Critical Function vulnerability in multiple products
MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph without any sort of authentication.
9.8
2020-06-24 CVE-2020-10271 Exposure of Resource to Wrong Sphere vulnerability in multiple products
MiR100, MiR200 and other MiR robots use the Robot Operating System (ROS) default packages exposing the computational graph to all network interfaces, wireless and wired.
9.8