search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
179 stars 31 forks source link

RVD#1413: User enumeration in Universal Robots Control Box CB3.x #1413

Open rvd-bot opened 4 years ago

rvd-bot commented 4 years ago 
{
    "id": 1413,
    "title": "RVD#1413: User enumeration in Universal Robots Control Box CB3.x",
    "type": "vulnerability",
    "description": "We found that the Universal Robots Controllers' file system based in Debian is subject to CVE-2016-6210 which allows to perform user enumeration. The flaw affects OpenSSH which is exposed by default in port 22. Before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.",
    "cwe": "CWE-200 (Information Exposure)",
    "cve": "CVE-2016-6210",
    "keywords": [
        "Universal Robots",
        "manipulation",
        "cobot",
        "CB 3.x"
    ],
    "system": "Universal Robots Robot Controllers CB 3.x",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 7.9,
        "rvss-vector": "RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:M/S:U/C:H/I:N/A:N/H:N",
        "severity-description": "high",
        "cvss-score": 5.9,
        "cvss-vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
    },
    "links": [
        "https://www.debian.org/security/2016/dsa-3626",
        "https://tracker.debian.org/media/packages/o/openssh/changelog-1%3A6.0p1-4%2Bdeb7u6",
        "https://seclists.org/fulldisclosure/2016/Jul/51",
        "https://nvd.nist.gov/vuln/detail/CVE-2016-6210",
        "https://www.cvedetails.com/cve/CVE-2016-6210/?q=CVE-2016-6210#metasploit",
        "https://github.com/aliasrobotics/RVD/issues/1413"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "general issue",
        "architectural-location": "third-party",
        "application": "manipulator, control box",
        "subsystem": "communication",
        "package": "N/A",
        "languages": "C",
        "date-detected": null,
        "detected-by": "V\u00edctor Mayoral Vilches, Lander Usategui San Juan (Alias Robotics), Bernhard Dieber (Joanneum Research)",
        "detected-by-method": "testing violation",
        "date-reported": "2020-03-31",
        "reported-by": "V\u00edctor Mayoral Vilches (Alias Robotics)",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1413",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "Not available",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users. There are available modules for metasploit that exploit this vulnerability.",
        "exploitation-image": "Not disclosed",
        "exploitation-vector": "robosploit/modules/3_exploitation/ur/ssh-username-enumeration.py"
    },
    "mitigation": {
        "description": "Update OpenSSH to a more updated version that includes a fix for this vulnerability",
        "pull-request": "N/A",
        "date-mitigation": null
    }
}
vmayoral commented 4 years ago

https://asciinema.org/a/315683