RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)
CVE-2020-10274

7.1HIGH

Key Information:

Vendor: Mobile Industrial Robots A/s
Status: Mir100
Vendor: CVE Published:; 24 June 2020

🔔 Create Mobile Industrial Robots A/s Vulnerability Alert

What is CVE-2020-10274?

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MiR100 v2.8.1.1 and before

References

https://github.com/aliasrobotics/RVD/issues/2556

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 24, 2020
Vulnerability Reserved
Mar 10, 2020

Credit

Alias Robotics (group, https://aliasrobotics.com)

JSON

Mobile Industrial Robots A/s