search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
171 stars 31 forks source link

RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot #1487

Open rvd-bot opened 4 years ago

rvd-bot commented 4 years ago 
{
    "id": 1487,
    "title": "RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot",
    "type": "vulnerability",
    "description": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.",
    "cwe": "CWE-353 (Missing Support for Integrity Check)",
    "cve": CVE-2020-10266,
    "keywords": [
        "Universal Robots"
    ],
    "system": "CB3 SW Versions 3.3 up to 3.12.1",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 10.0,
        "rvss-vector": "RVSS:1.0/AV:AN/AC:L/PR:N/UI:R/Y:Z/S:U/C:H/I:H/A:H/H:H",
        "severity-description": "critical",
        "cvss-score": 8.8,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
    },
    "links": [
        "https://www.universal-robots.com/plus/",
        "https://www.universal-robots.com/plus/developer/",
        "https://github.com/aliasrobotics/RVD/issues/1487"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "general issue",
        "architectural-location": "platform code",
        "application": "industrial robot manipulator",
        "subsystem": "manipulation:actuation",
        "package": "libc6 2.19-11 i386",
        "languages": "C",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches <victor@aliasrobotics.com>, Mike Karamousadakis, Lander Usategui San Juan",
        "detected-by-method": "testing",
        "date-reported": "2020-04-03",
        "reported-by": "Victor Mayoral Vilches <victor@aliasrobotics.com>",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1487",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "https://www.youtube.com/watch?v=y4AB-l-zFR4",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "The lack of integrity checks in the URCaps downloaded from UR+ platform allow an attacker to take complete control of the robot and compromise confidentiality, integrity and availability. The UR+ SDK is widely available which allow malicious attackers to 'cook' malicious URCaps and ship them to targets via PITM attacks. User Interaction is required in the sense that she/he would need to install the .urcap in the robot.",
        "exploitation-image": "Not available",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "Digitally sign the UR+ platform components and check the signature during the intalation process.",
        "pull-request": "Not available",
        "date-mitigation": null
    }
}
vmayoral commented 4 years ago

Demonstration available at https://www.youtube.com/watch?v=y4AB-l-zFR4

Reproduction simplified with the following alurity.yml file:

alurity.yml ```yaml networks: - network: - driver: overlay - name: urnetwork - encryption: false containers: - container: - name: ur_3121 - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1 - network: urnetwork - cpus: 4 - memory: 4096 - container: - name: attacker - modules: - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest - network: urnetwork ################## # flow for testing and development ################## flow: # - container: # - name: attacker # - window: # - name: attacker # - commands: # - command: "sleep 3" # - command: "nmap -sV -T5 ur_3121" # - container: - name: ur_3121 - window: - name: gui - commands: - type: "source /root/run_gui.sh && $RUN_GUI" # - command: "source /root/run_gui.sh && $RUN_GUI" - window: - name: urcap - commands: # Launch ssh daemon - command: "mkdir /var/run/sshd" - command: "/usr/sbin/sshd" # # Fetch ROS Industrial driver's UR cap # - command: "cd /root/.urcaps && wget https://github.com/UniversalRobots/Universal_Robots_ROS_Driver/raw/master/ur_robot_driver/resources/externalcontrol-1.0.1.urcap" # Fetch a commercial dashboard solution for evaluation - command: "cd /programs && wget https://github.com/KimNyholm/web-dashboard-urcap/archive/v2.1.0.zip && unzip v2.1.0.zip" # Force install it - command: "cp /programs/web-dashboard-urcap-2.1.0/webdashboard-2.1.0.urcap /root/.urcaps" - split: horizontal - command: "htop" # - attach: attacker ```