id: 3322
title: 'RVD#3322: Weak authentication implementation make the system vulnerable to
a brute-force attack over adjacent networks'
type: vulnerability
description: The authentication implementation on the xArm controller has very low
entropy, making it vulnerable to a brute-force attack. There is no mechanism in
place to mitigate or lockout automated attempts to gain access.
cwe: CWE-307
cve: CVE-2020-10285
keywords:
- xArm5 Lite, xArm6, xArm7, authentication
system: xArm5 Lite v1.5.0 and before, xArm6, xArm7
vendor: uFactory
severity:
rvss-score: 8.3
rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/S:U/Y:Z/C:H/I:L/A:H/H:U
severity-description: high
cvss-score: 8.3
cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
links:
- https://cwe.mitre.org/data/definitions/307.html
- https://github.com/aliasrobotics/RVD/issues/3322
flaw:
phase: runtime-operation
specificity: general-issue
architectural-location: application-specific
application: Gentoo Linux
subsystem: SSH
package: N/A
languages: N/A
date-detected: 2020-06-18
detected-by: Alfonso Glera (Alias Robotics)
detected-by-method: testing-dynamic alutiry:robo_xarm
date-reported: '2020-07-15'
reported-by: "Victor Mayoral Vilches (Alias Robotics)"
reported-by-relationship: null
issue: https://github.com/aliasrobotics/RVD/issues/3322
reproducibility: always
trace: Not disclosed
reproduction: Not disclosed
reproduction-image: Not disclosed
exploitation:
description: Not disclosed
exploitation-image: Not disclosed
exploitation-vector: Not disclosed
exploitation-recipe: ''
mitigation:
description: Not disclosed
pull-request: Not disclosed
date-mitigation: null