CVE-2018-17178
Summary
| CVE | CVE-2018-17178 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-09-18 18:29:00 UTC |
| Updated | 2021-06-17 17:28:00 UTC |
| Description | An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Neato | Botvac D3 Connected | - | All | All | All |
| Hardware | Neato | Botvac D3 Connected | - | All | All | All |
| Operating System | Neato | Botvac D3 Connected Firmware | 2.2.0 | All | All | All |
| Operating System | Neato | Botvac D3 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neato | Botvac D4 Connected | - | All | All | All |
| Hardware | Neato | Botvac D4 Connected | - | All | All | All |
| Operating System | Neato | Botvac D4 Connected Firmware | 2.2.0 | All | All | All |
| Operating System | Neato | Botvac D4 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neato | Botvac D5 Connected | - | All | All | All |
| Hardware | Neato | Botvac D5 Connected | - | All | All | All |
| Operating System | Neato | Botvac D5 Connected Firmware | 2.2.0 | All | All | All |
| Operating System | Neato | Botvac D5 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neato | Botvac D6 Connected | - | All | All | All |
| Hardware | Neato | Botvac D6 Connected | - | All | All | All |
| Operating System | Neato | Botvac D6 Connected Firmware | 2.2.0 | All | All | All |
| Operating System | Neato | Botvac D6 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neato | Botvac D7 Connected | - | All | All | All |
| Hardware | Neato | Botvac D7 Connected | - | All | All | All |
| Operating System | Neato | Botvac D7 Connected Firmware | 2.2.0 | All | All | All |
| Operating System | Neato | Botvac D7 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neatorobotics | Botvac D3 Connected | - | All | All | All |
| Operating System | Neatorobotics | Botvac D3 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neatorobotics | Botvac D4 Connected | - | All | All | All |
| Operating System | Neatorobotics | Botvac D4 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neatorobotics | Botvac D5 Connected | - | All | All | All |
| Operating System | Neatorobotics | Botvac D5 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neatorobotics | Botvac D6 Connected | - | All | All | All |
| Operating System | Neatorobotics | Botvac D6 Connected Firmware | 2.2.0 | All | All | All |
| Hardware | Neatorobotics | Botvac D7 Connected | - | All | All | All |
| Operating System | Neatorobotics | Botvac D7 Connected Firmware | 2.2.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| media.ccc.de - Pinky & Brain are taking over the world with vacuum cleaners | MISC | media.ccc.de | Exploit, Technical Description, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.