CVE-2020-10285 - OpenCVE

The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ufactory	Xarm 5 Lite Firmware Xarm 5 Lite

Configuration 1 [-]

AND

cpe:2.3:o:ufactory:xarm_5_lite_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ufactory:xarm_5_lite:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/aliasrobotics/RVD/issues/3322	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Alias

Published: 2020-07-15T00:00:00

Updated: 2020-07-15T21:00:14

Reserved: 2020-03-10T00:00:00

Link: CVE-2020-10285

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-15T21:15:12.193

Modified: 2021-12-21T12:44:26.403

Link: CVE-2020-10285

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "xArm5 Lite, xArm 6 and xArm 7", "vendor": "uFactory", "versions": [{"status": "affected", "version": "v1.5.0 and before"}]}], "credits": [{"lang": "en", "value": "Alfonso Glera (Alias Robotics)"}], "datePublic": "2020-07-15T00:00:00", "descriptions": [{"lang": "en", "value": "The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T21:00:14", "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "shortName": "Alias"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aliasrobotics/RVD/issues/3322"}], "source": {"defect": ["RVD#3322"], "discovery": "EXTERNAL"}, "title": "RVD#3322: Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks", "x_generator": {"engine": "Robot Vulnerability Database (RVD)"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@aliasrobotics.com", "DATE_PUBLIC": "2020-07-15T20:57:53 +00:00", "ID": "CVE-2020-10285", "STATE": "PUBLIC", "TITLE": "RVD#3322: Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xArm5 Lite, xArm 6 and xArm 7", "version": {"version_data": [{"version_value": "v1.5.0 and before"}]}}]}, "vendor_name": "uFactory"}]}}, "credit": [{"lang": "eng", "value": "Alfonso Glera (Alias Robotics)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access."}]}, "generator": {"engine": "Robot Vulnerability Database (RVD)"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "critical", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-307"}]}]}, "references": {"reference_data": [{"name": "https://github.com/aliasrobotics/RVD/issues/3322", "refsource": "CONFIRM", "url": "https://github.com/aliasrobotics/RVD/issues/3322"}]}, "source": {"defect": ["RVD#3322"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "assignerShortName": "Alias", "cveId": "CVE-2020-10285", "datePublished": "2020-07-15T00:00:00", "dateReserved": "2020-03-10T00:00:00", "dateUpdated": "2020-07-15T21:00:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ufactory:xarm_5_lite_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A890A4C3-06E6-4A87-A2D5-D57BFD1CFE9D", "versionEndIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ufactory:xarm_5_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8D6E40-FA1A-4BC1-BED9-61384D5B700E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access."}, {"lang": "es", "value": "La implementaci\u00f3n de autenticaci\u00f3n en el controlador xArm presenta una entrop\u00eda muy baja, haci\u00e9ndole vulnerable a un ataque de fuerza bruta. No posee un mecanismo para mitigar o bloquear los intentos automatizados de conseguir acceso"}], "id": "CVE-2020-10285", "lastModified": "2021-12-21T12:44:26.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cve@aliasrobotics.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-15T21:15:12.193", "references": [{"source": "cve@aliasrobotics.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/aliasrobotics/RVD/issues/3322"}], "sourceIdentifier": "cve@aliasrobotics.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "cve@aliasrobotics.com", "type": "Secondary"}]}