Plataforma
other
Componente
rvd
Corrigido em
2.8.2
CVE-2020-10272 is a critical vulnerability affecting Mobile Industrial Robots (MiR) models like the MiR100 and MiR200 that utilize the Robot Operating System (ROS). The default ROS packages expose the computational graph without authentication, enabling attackers with network access to take control of the robot. This vulnerability impacts versions of MiR robots running ROS versions less than or equal to 2.8.1.1, and a fix is available in version 2.8.2.
The primary impact of CVE-2020-10272 is the potential for complete, unauthorized control of MiR robots. An attacker with access to the robot's internal wireless or wired network can exploit this vulnerability to command the robot, potentially disrupting operations, causing physical damage, or compromising sensitive data. This vulnerability is particularly concerning in environments where robots are used for critical tasks such as material handling or logistics. The lack of authentication means that any device on the internal network can potentially exploit this flaw. Combined with CVE-2020-10269 and CVE-2020-10271, the attack surface expands significantly, allowing for more complex and potentially devastating attacks.
CVE-2020-10272 has not been publicly exploited, but the ease of exploitation and the potential impact make it a significant concern. It is listed on CISA KEV as of 2020, indicating a high probability of exploitation. Public proof-of-concept code is not readily available, but the vulnerability's nature suggests that it could be easily developed. The combination of this vulnerability with CVE-2020-10269 and CVE-2020-10271 creates a more complex attack chain, potentially increasing the likelihood of exploitation.
Organizations utilizing MiR robots in manufacturing, logistics, or warehousing environments are at risk. This includes facilities with shared internal networks, legacy robot deployments without network segmentation, and those relying on default ROS configurations without proper security hardening. Any environment where robots interact with sensitive data or critical infrastructure is particularly vulnerable.
• linux / server: Monitor network traffic for unusual connections to the robot's ROS services. Use ss or lsof to identify processes listening on exposed ports.
ss -tulnp | grep :11311 # ROS Master port• linux / server: Examine system logs (journalctl) for authentication failures or unauthorized access attempts to ROS services.
journalctl -u ros_master | grep -i authentication• generic web: Check for exposed ROS endpoints by attempting to access them via curl.
curl http://<robot_ip>:11311/get_node_infodisclosure
patch
Status do Exploit
EPSS
0.47% (percentil 65%)
Vetor CVSS
The primary mitigation for CVE-2020-10272 is to upgrade MiR robots to version 2.8.2 or later, which includes the necessary authentication measures. If upgrading is not immediately feasible, consider segmenting the robot's network to restrict access to only authorized devices. Implementing strict firewall rules and intrusion detection systems can also help to detect and prevent unauthorized access attempts. Review and harden ROS configurations, disabling unnecessary services and ensuring strong password policies are enforced. After upgrading, confirm the fix by attempting to access the robot's computational graph from an unauthorized network location; access should be denied.
Atualizar o software do robô MiR para uma versão que implemente mecanismos de autenticação para o grafo computacional do ROS. Consultar a documentação do fabricante (Mobile Industrial Robots A/S) para obter as últimas atualizações de segurança e as instruções de instalação.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-10272 is a critical vulnerability affecting MiR robots using ROS, allowing unauthorized control due to exposed computational graphs without authentication.
You are affected if you are using MiR robots running ROS versions less than or equal to 2.8.1.1 and have not upgraded.
Upgrade your MiR robots to version 2.8.2 or later to mitigate the vulnerability. Network segmentation is a temporary workaround.
While no public exploitation has been confirmed, the vulnerability's ease of exploitation and potential impact suggest a high probability of exploitation.
Refer to the MiR security advisory for detailed information and mitigation steps: [https://www.mir-robotics.com/security-advisory-ros-vulnerabilities/](https://www.mir-robotics.com/security-advisory-ros-vulnerabilities/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.