CVE-2020-10285 - OpenCVE

The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ufactory	Xarm 5 Lite Xarm 5 Lite Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ufactory:xarm_5_lite_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ufactory:xarm_5_lite:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/aliasrobotics/RVD/issues/3322

History

No history.

MITRE

Status: PUBLISHED

Assigner: Alias

Published: 2020-07-15T21:00:14.468329Z

Updated: 2024-09-17T02:32:51.974Z

Reserved: 2020-03-10T00:00:00

Link: CVE-2020-10285

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-07-15T21:15:12.193

Modified: 2021-12-21T12:44:26.403

Link: CVE-2020-10285

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "xArm5 Lite, xArm 6 and xArm 7", "vendor": "uFactory", "versions": [{"status": "affected", "version": "v1.5.0 and before"}]}], "credits": [{"lang": "en", "value": "Alfonso Glera (Alias Robotics)"}], "datePublic": "2020-07-15T00:00:00", "descriptions": [{"lang": "en", "value": "The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T21:00:14", "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "shortName": "Alias"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aliasrobotics/RVD/issues/3322"}], "source": {"defect": ["RVD#3322"], "discovery": "EXTERNAL"}, "title": "RVD#3322: Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks", "x_generator": {"engine": "Robot Vulnerability Database (RVD)"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@aliasrobotics.com", "DATE_PUBLIC": "2020-07-15T20:57:53 +00:00", "ID": "CVE-2020-10285", "STATE": "PUBLIC", "TITLE": "RVD#3322: Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xArm5 Lite, xArm 6 and xArm 7", "version": {"version_data": [{"version_value": "v1.5.0 and before"}]}}]}, "vendor_name": "uFactory"}]}}, "credit": [{"lang": "eng", "value": "Alfonso Glera (Alias Robotics)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access."}]}, "generator": {"engine": "Robot Vulnerability Database (RVD)"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "critical", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-307"}]}]}, "references": {"reference_data": [{"name": "https://github.com/aliasrobotics/RVD/issues/3322", "refsource": "CONFIRM", "url": "https://github.com/aliasrobotics/RVD/issues/3322"}]}, "source": {"defect": ["RVD#3322"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:58:40.139Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aliasrobotics/RVD/issues/3322"}]}]}, "cveMetadata": {"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "assignerShortName": "Alias", "cveId": "CVE-2020-10285", "datePublished": "2020-07-15T21:00:14.468329Z", "dateReserved": "2020-03-10T00:00:00", "dateUpdated": "2024-09-17T02:32:51.974Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ufactory:xarm_5_lite_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A890A4C3-06E6-4A87-A2D5-D57BFD1CFE9D", "versionEndIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ufactory:xarm_5_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8D6E40-FA1A-4BC1-BED9-61384D5B700E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access."}, {"lang": "es", "value": "La implementaci\u00f3n de autenticaci\u00f3n en el controlador xArm presenta una entrop\u00eda muy baja, haci\u00e9ndole vulnerable a un ataque de fuerza bruta. No posee un mecanismo para mitigar o bloquear los intentos automatizados de conseguir acceso"}], "id": "CVE-2020-10285", "lastModified": "2021-12-21T12:44:26.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cve@aliasrobotics.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-15T21:15:12.193", "references": [{"source": "cve@aliasrobotics.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/aliasrobotics/RVD/issues/3322"}], "sourceIdentifier": "cve@aliasrobotics.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "cve@aliasrobotics.com", "type": "Secondary"}]}