CVE-2020-10266
Summary
| CVE | CVE-2020-10266 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-04-06 12:15:00 UTC |
| Updated | 2020-04-06 23:10:00 UTC |
| Description | UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand. |
Risk And Classification
Problem Types: CWE-345
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Universal-robots | Ur10 | - | All | All | All |
| Hardware | Universal-robots | Ur10 | - | All | All | All |
| Hardware | Universal-robots | Ur3 | - | All | All | All |
| Hardware | Universal-robots | Ur3 | - | All | All | All |
| Hardware | Universal-robots | Ur5 | - | All | All | All |
| Hardware | Universal-robots | Ur5 | - | All | All | All |
| Application | Universal-robots | Ur | - | All | All | All |
| Application | Universal-robots | Ur | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot · Issue #1487 · aliasrobotics/RVD · GitHub | CONFIRM | github.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Víctor Mayoral Vilches <[email protected]>, Mike Karamousadakis, Lander Usategui San Juan
There are currently no legacy QID mappings associated with this CVE.