Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RVD#2558: Default credentials on SICK PLC allows disabling safety features #2558

Open
rvd-bot opened this issue Jun 24, 2020 · 0 comments
Open

RVD#2558: Default credentials on SICK PLC allows disabling safety features #2558

rvd-bot opened this issue Jun 24, 2020 · 0 comments
Labels
robot: ER200 robot: ER-Flex robot: ER-Lite robot: ER-One robot: MiR100 robot: MiR200 robot: MiR250 robot: MiR500 robot: MiR1000 robot: UVD severity: critical 9.0 - 10.0 vendor: Easy Robotics vendor: Enabled Robotics vendor: Mobile Industrial Robots vendor: Robotplus https://robotplus.es/ vendor: UVD Robots vulnerability

Comments

@rvd-bot
Copy link
Contributor

rvd-bot commented Jun 24, 2020
edited by glerapic 

id: 2558
title: 'RVD#2558: Default credentials on SICK PLC allows disabling safety features'
type: vulnerability
description: The password for the safety PLC is the default and thus easy to find
  (in manuals, etc.). This allows a manipulated program to be uploaded to the safety
  PLC, effectively disabling the emergency stop in case an object is too close to
  the robot. Navigation and any other components dependent on the laser scanner are
  not affected (thus it is hard to detect before something happens) though the laser
  scanner configuration can also be affected altering further the safety of the device.
cwe: CWE-798
cve: CVE-2020-10276
keywords:
- MiR100, MiR200, MiR500, MiR250, MiR1000, ER200, ER-Lite, ER-Flex,
  ER-One, UVD, Autentication
system: MiR100:v2.8.1.1 and before, MiR200, MiR250, MiR500, MiR1000, ER200,
  ER-Lite, ER-Flex, ER-One, UVD
vendor: Mobile Industrial Robots A/S, EasyRobotics, Enabled Robotics, UVD Robots
severity:
  rvss-score: 9.4
  rvss-vector: RVSS:1.0/AV:IN/AC:H/PR:L/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
  severity-description: Critical
  cvss-score: 9.8
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://cwe.mitre.org/data/definitions/798.html
- http://bernharddieber.com/publication/taurer2019mirsafety
- https://github.com/aliasrobotics/RVD/issues/2558
flaw:
  phase: runtime-operation
  specificity: general-issue
  architectural-location: Plataform code
  application: Safety PLC
  subsystem: Sensing:Safety_PLC
  package: N/A
  languages: Flexi Soft Designer
  date-detected: 2019-07-01
  detected-by: Bernhard Dieber (Joanneum Research)
  detected-by-method: testing dynamic
  date-reported: '2020-06-24'
  reported-by: "Victor Mayoral Vilches (Alias Robotics)"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/2558
  reproducibility: Always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe:
    networks:
    - network:
      - driver: overlay
      - name: mireth-network
      - encryption: false
    containers:
    - container:
      - name: mir100
      - modules:
        - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_mir100:2.8.1.1
        - network: mireth-network
    - container:
      - name: attacker
      - modules:
        - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:latest
        - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
        - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest
        - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
        - network: mireth-network
    flow:
    - container:
      - name: attacker
      - window:
        - name: attacker
        - commands:
          - command: 'export TARGET=$(nslookup mir100 |  awk "NR==6{print$2}" | sed
              "s/Address: //g")'
          - command: robosploit -m exploits/mir/safety/plc_disable
    - container:
      - name: mir100
      - window:
        - name: setup
        - commands:
          - command: mkdir /var/run/sshd
          - command: /usr/sbin/sshd
          - command: /bin/sleep 5
          - command: sudo mkdir /run/lock
          - command: /etc/init.d/apache2 start
          - split: horizontal
          - command: /bin/sleep 2
          - command: python /usr/local/mir/software/robot/release/db_backup.py
          - command: /etc/init.d/mysql start
          - command: /bin/sleep 2
          - command: /usr/sbin/mysqld --verbose &
      - window:
        - name: ros
        - commands:
          - command: python /usr/local/mir/software/robot/release/db_backup.py
          - command: sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80'
              --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
          - command: sudo apt-get update
          - command: roslaunch mirCommon mir_bringup.launch
      - select: setup
    - attach: attacker
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
robot: ER200 robot: ER-Flex robot: ER-Lite robot: ER-One robot: MiR100 robot: MiR200 robot: MiR250 robot: MiR500 robot: MiR1000 robot: UVD severity: critical 9.0 - 10.0 vendor: Easy Robotics vendor: Enabled Robotics vendor: Mobile Industrial Robots vendor: Robotplus https://robotplus.es/ vendor: UVD Robots vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vmayoral @glerapic @rvd-bot