CVE-2020-10286 - OpenCVE

the main user account has restricted privileges but is in the sudoers group and there is not any mechanism in place to prevent sudo su or sudo -i to be run gaining unrestricted access to sensible files, encryption, or issue orders that disrupt robot operation.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ufactory	Xarm 5 Lite Xarm 5 Lite Firmware Xarm 6 Xarm 6 Firmware Xarm 7 Xarm 7 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ufactory:xarm_5_lite_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ufactory:xarm_5_lite:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ufactory:xarm_6_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ufactory:xarm_6:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ufactory:xarm_7_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ufactory:xarm_7:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/aliasrobotics/RVD/issues/3323

History

No history.

MITRE

Status: PUBLISHED

Assigner: Alias

Published: 2020-07-15T21:15:13.859317Z

Updated: 2024-09-17T00:22:04.212Z

Reserved: 2020-03-10T00:00:00

Link: CVE-2020-10286

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-07-15T22:15:13.857

Modified: 2021-12-21T12:44:55.387

Link: CVE-2020-10286

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "xArm 5 Lite, xArm 6 and xArm 7", "vendor": "uFactory", "versions": [{"status": "affected", "version": "v1.5.0 and before"}]}], "credits": [{"lang": "en", "value": "Alfonso Glera (Alias Robotics)"}], "datePublic": "2020-07-15T00:00:00", "descriptions": [{"lang": "en", "value": "the main user account has restricted privileges but is in the sudoers group and there is not any mechanism in place to prevent sudo su or sudo -i to be run gaining unrestricted access to sensible files, encryption, or issue orders that disrupt robot operation."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-656", "description": "CWE-656", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T21:15:13", "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "shortName": "Alias"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aliasrobotics/RVD/issues/3323"}], "source": {"defect": ["RVD#3323"], "discovery": "EXTERNAL"}, "title": "RVD#3323: Mismanaged permission implementation leads to privilege escalation, exfiltration of sensitive information, and DoS", "x_generator": {"engine": "Robot Vulnerability Database (RVD)"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@aliasrobotics.com", "DATE_PUBLIC": "2020-07-15T21:09:30 +00:00", "ID": "CVE-2020-10286", "STATE": "PUBLIC", "TITLE": "RVD#3323: Mismanaged permission implementation leads to privilege escalation, exfiltration of sensitive information, and DoS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xArm 5 Lite, xArm 6 and xArm 7", "version": {"version_data": [{"version_value": "v1.5.0 and before"}]}}]}, "vendor_name": "uFactory"}]}}, "credit": [{"lang": "eng", "value": "Alfonso Glera (Alias Robotics)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "the main user account has restricted privileges but is in the sudoers group and there is not any mechanism in place to prevent sudo su or sudo -i to be run gaining unrestricted access to sensible files, encryption, or issue orders that disrupt robot operation."}]}, "generator": {"engine": "Robot Vulnerability Database (RVD)"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "critical", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-656"}]}]}, "references": {"reference_data": [{"name": "https://github.com/aliasrobotics/RVD/issues/3323", "refsource": "CONFIRM", "url": "https://github.com/aliasrobotics/RVD/issues/3323"}]}, "source": {"defect": ["RVD#3323"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:58:40.025Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aliasrobotics/RVD/issues/3323"}]}]}, "cveMetadata": {"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "assignerShortName": "Alias", "cveId": "CVE-2020-10286", "datePublished": "2020-07-15T21:15:13.859317Z", "dateReserved": "2020-03-10T00:00:00", "dateUpdated": "2024-09-17T00:22:04.212Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ufactory:xarm_5_lite_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A890A4C3-06E6-4A87-A2D5-D57BFD1CFE9D", "versionEndIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ufactory:xarm_5_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8D6E40-FA1A-4BC1-BED9-61384D5B700E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ufactory:xarm_6_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "FB8B955D-D0BF-4437-BB9F-E1D312AA0755", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ufactory:xarm_6:-:*:*:*:*:*:*:*", "matchCriteriaId": "401E4800-639B-4DF9-9E64-1C71653A2367", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ufactory:xarm_7_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "937407BD-52A5-4930-A7CC-3323DFCDE313", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ufactory:xarm_7:-:*:*:*:*:*:*:*", "matchCriteriaId": "6B65C0A7-0221-4BBE-A590-B4942137F209", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "the main user account has restricted privileges but is in the sudoers group and there is not any mechanism in place to prevent sudo su or sudo -i to be run gaining unrestricted access to sensible files, encryption, or issue orders that disrupt robot operation."}, {"lang": "es", "value": "La cuenta de usuario principal presenta privilegios restringidos, pero est\u00e1 en el grupo sudoers y no existe ning\u00fan mecanismo en lugar de impedir que sudo su o sudo -i sea ejecutado y obtener acceso irrestricto a archivos confidenciales, cifrado o emitir \u00f3rdenes que interrumpen el funcionamiento del robot"}], "id": "CVE-2020-10286", "lastModified": "2021-12-21T12:44:55.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cve@aliasrobotics.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-15T22:15:13.857", "references": [{"source": "cve@aliasrobotics.com", "tags": ["Third Party Advisory"], "url": "https://github.com/aliasrobotics/RVD/issues/3323"}], "sourceIdentifier": "cve@aliasrobotics.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-656"}], "source": "cve@aliasrobotics.com", "type": "Secondary"}]}