Platform
other
Component
rvd
Fixed in
2.8.2
CVE-2020-10272 is a critical vulnerability affecting Mobile Industrial Robots (MiR) models like the MiR100 and MiR200 that utilize the Robot Operating System (ROS). The default ROS packages expose the computational graph without authentication, enabling attackers with network access to take control of the robot. This vulnerability impacts versions of MiR robots running ROS versions less than or equal to 2.8.1.1, and a fix is available in version 2.8.2.
The primary impact of CVE-2020-10272 is the potential for complete, unauthorized control of MiR robots. An attacker with access to the robot's internal wireless or wired network can exploit this vulnerability to command the robot, potentially disrupting operations, causing physical damage, or compromising sensitive data. This vulnerability is particularly concerning in environments where robots are used for critical tasks such as material handling or logistics. The lack of authentication means that any device on the internal network can potentially exploit this flaw. Combined with CVE-2020-10269 and CVE-2020-10271, the attack surface expands significantly, allowing for more complex and potentially devastating attacks.
CVE-2020-10272 has not been publicly exploited, but the ease of exploitation and the potential impact make it a significant concern. It is listed on CISA KEV as of 2020, indicating a high probability of exploitation. Public proof-of-concept code is not readily available, but the vulnerability's nature suggests that it could be easily developed. The combination of this vulnerability with CVE-2020-10269 and CVE-2020-10271 creates a more complex attack chain, potentially increasing the likelihood of exploitation.
Exploit Status
EPSS
0.47% (65% percentile)
CVSS Vector
The primary mitigation for CVE-2020-10272 is to upgrade MiR robots to version 2.8.2 or later, which includes the necessary authentication measures. If upgrading is not immediately feasible, consider segmenting the robot's network to restrict access to only authorized devices. Implementing strict firewall rules and intrusion detection systems can also help to detect and prevent unauthorized access attempts. Review and harden ROS configurations, disabling unnecessary services and ensuring strong password policies are enforced. After upgrading, confirm the fix by attempting to access the robot's computational graph from an unauthorized network location; access should be denied.
Update the MiR robot software to a version that implements authentication mechanisms for the ROS computational graph. Consult the manufacturer's documentation (Mobile Industrial Robots A/S) for the latest security updates and installation instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-10272 is a critical vulnerability affecting MiR robots using ROS, allowing unauthorized control due to exposed computational graphs without authentication.
You are affected if you are using MiR robots running ROS versions less than or equal to 2.8.1.1 and have not upgraded.
Upgrade your MiR robots to version 2.8.2 or later to mitigate the vulnerability. Network segmentation is a temporary workaround.
While no public exploitation has been confirmed, the vulnerability's ease of exploitation and potential impact suggest a high probability of exploitation.
Refer to the MiR security advisory for detailed information and mitigation steps: [https://www.mir-robotics.com/security-advisory-ros-vulnerabilities/](https://www.mir-robotics.com/security-advisory-ros-vulnerabilities/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.