{"containers": {"cna": {"affected": [{"product": "MAVLink", "vendor": "unspecified", "versions": [{"status": "affected", "version": " v1.0"}]}], "credits": [{"lang": "en", "value": "None"}], "datePublic": "2020-07-03T00:00:00", "descriptions": [{"lang": "en", "value": "The Micro Air Vehicle Link (MAVLink) protocol presents no authentication mechanism on its version 1.0 (nor authorization) whichs leads to a variety of attacks including identity spoofing, unauthorized access, PITM attacks and more. According to literature, version 2.0 optionally allows for package signing which mitigates this flaw. Another source mentions that MAVLink 2.0 only provides a simple authentication system based on HMAC. This implies that the flying system overall should add the same symmetric key into all devices of network. If not the case, this may cause a security issue, that if one of the devices and its symmetric key are compromised, the whole authentication system is not reliable."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-03T14:30:15", "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "shortName": "Alias"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rligocki/Diploma_thesis_px4"}], "source": {"defect": ["RVD#3316"], "discovery": "EXTERNAL"}, "title": "RVD#3316: No authentication in MAVLink protocol", "x_generator": {"engine": "Robot Vulnerability Database (RVD)"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@aliasrobotics.com", "DATE_PUBLIC": "2020-07-03T14:21:35 +00:00", "ID": "CVE-2020-10282", "STATE": "PUBLIC", "TITLE": "RVD#3316: No authentication in MAVLink protocol"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MAVLink", "version": {"version_data": [{"version_value": " v1.0"}]}}]}, "vendor_name": ""}]}}, "credit": [{"lang": "eng", "value": "None"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Micro Air Vehicle Link (MAVLink) protocol presents no authentication mechanism on its version 1.0 (nor authorization) whichs leads to a variety of attacks including identity spoofing, unauthorized access, PITM attacks and more. According to literature, version 2.0 optionally allows for package signing which mitigates this flaw. Another source mentions that MAVLink 2.0 only provides a simple authentication system based on HMAC. This implies that the flying system overall should add the same symmetric key into all devices of network. If not the case, this may cause a security issue, that if one of the devices and its symmetric key are compromised, the whole authentication system is not reliable."}]}, "generator": {"engine": "Robot Vulnerability Database (RVD)"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "critical", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rligocki/Diploma_thesis_px4", "refsource": "CONFIRM", "url": "https://github.com/rligocki/Diploma_thesis_px4"}]}, "source": {"defect": ["RVD#3316"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "assignerShortName": "Alias", "cveId": "CVE-2020-10282", "datePublished": "2020-07-03T00:00:00", "dateReserved": "2020-03-10T00:00:00", "dateUpdated": "2020-07-03T14:30:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dronecode:micro_air_vehicle_link:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F56CC677-E829-48A5-B01B-9B33F13C084B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Micro Air Vehicle Link (MAVLink) protocol presents no authentication mechanism on its version 1.0 (nor authorization) whichs leads to a variety of attacks including identity spoofing, unauthorized access, PITM attacks and more. According to literature, version 2.0 optionally allows for package signing which mitigates this flaw. Another source mentions that MAVLink 2.0 only provides a simple authentication system based on HMAC. This implies that the flying system overall should add the same symmetric key into all devices of network. If not the case, this may cause a security issue, that if one of the devices and its symmetric key are compromised, the whole authentication system is not reliable."}, {"lang": "es", "value": "El protocolo Micro Air Vehicle Link (MAVLink) no presenta ning\u00fan mecanismo de autenticaci\u00f3n en su versi\u00f3n 1.0 (ni autorizaci\u00f3n), lo que conlleva a una variedad de ataques que incluyen suplantaci\u00f3n de identidad, acceso no autorizado, ataques PITM y m\u00e1s. De acuerdo a la literatura, la versi\u00f3n 2.0 opcionalmente permite la firma de paquetes que mitiga este fallo. Otra fuente menciona que MAVLink versi\u00f3n 2.0 solo proporciona un sistema de autenticaci\u00f3n simple basado en HMAC. Esto implica que el sistema de vuelo en general deber\u00eda agregar la misma clave sim\u00e9trica en todos los dispositivos de la red. Si no es el caso, esto puede causar un problema de seguridad, que si uno de los dispositivos y su clave sim\u00e9trica est\u00e1n comprometidos, todo el sistema de autenticaci\u00f3n no es confiable"}], "id": "CVE-2020-10282", "lastModified": "2020-10-23T18:19:59.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve@aliasrobotics.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-03T15:15:09.870", "references": [{"source": "cve@aliasrobotics.com", "tags": ["Third Party Advisory"], "url": "https://github.com/rligocki/Diploma_thesis_px4"}], "sourceIdentifier": "cve@aliasrobotics.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "cve@aliasrobotics.com", "type": "Secondary"}]}

{}