Lucene search

[email protected]CVE-2020-10278

HistoryJun 24, 2020 - 5:15 a.m.

CVE-2020-10278

2020-06-2405:15:00

CWE-287

[email protected]

web.nvd.nist.gov

cve-2020-10278

bios

password protection

unauthorized access

security vulnerability

nvd

4.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5.6 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

23.0%

JSON

The BIOS onboard MiR’s Computer is not protected by password, therefore, it allows a Bad Operator to modify settings such as boot order. This can be leveraged by a Malicious operator to boot from a Live Image.

CPENameOperatorVersion
aliasrobotics:mir100_firmwarealiasrobotics mir100 firmwarele2.8.1.1
aliasrobotics:mir200_firmwarealiasrobotics mir200 firmwarele2.8.1.1
aliasrobotics:mir250_firmwarealiasrobotics mir250 firmwarele2.8.1.1
aliasrobotics:mir500_firmwarealiasrobotics mir500 firmwarele2.8.1.1
aliasrobotics:mir1000_firmwarealiasrobotics mir1000 firmwarele2.8.1.1
mobile-industrial-robotics:er200_firmwaremobile-industrial-robotics er200 firmwarele2.8.1.1
enabled-robotics:er-lite_firmwareenabled-robotics er-lite firmwarele2.8.1.1
enabled-robotics:er-flex_firmwareenabled-robotics er-flex firmwarele2.8.1.1
enabled-robotics:er-one_firmwareenabled-robotics er-one firmwarele2.8.1.1
uvd-robots:uvd_robots_firmwareuvd-robots uvd robots firmwarele2.8.1.1

CPE	Name	Operator	Version
aliasrobotics:mir100_firmware	aliasrobotics mir100 firmware	le	2.8.1.1
aliasrobotics:mir200_firmware	aliasrobotics mir200 firmware	le	2.8.1.1
aliasrobotics:mir250_firmware	aliasrobotics mir250 firmware	le	2.8.1.1
aliasrobotics:mir500_firmware	aliasrobotics mir500 firmware	le	2.8.1.1
aliasrobotics:mir1000_firmware	aliasrobotics mir1000 firmware	le	2.8.1.1
mobile-industrial-robotics:er200_firmware	mobile-industrial-robotics er200 firmware	le	2.8.1.1
enabled-robotics:er-lite_firmware	enabled-robotics er-lite firmware	le	2.8.1.1
enabled-robotics:er-flex_firmware	enabled-robotics er-flex firmware	le	2.8.1.1
enabled-robotics:er-one_firmware	enabled-robotics er-one firmware	le	2.8.1.1
uvd-robots:uvd_robots_firmware	uvd-robots uvd robots firmware	le	2.8.1.1

References

github.com/aliasrobotics/RVD/issues/2561

4.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5.6 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

23.0%

JSON

Related for CVE-2020-10278

prion1 ics1