aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
179 stars 31 forks source link

RVD#34: Universal Robots Controller supports wireless mouse/keyboards on their USB interface #34

Open aliasbot opened 6 years ago

aliasbot commented 6 years ago
{
    "id": 34,
    "title": "RVD#34: Universal Robots Controller supports wireless mouse/keyboards on their USB interface",
    "type": "vulnerability",
    "description": "Universal Robots Controller supports wireless mouse/keyboards on their USB interface. A special USB device acting as a keyboard can inject keystrokes to potentially change settings on the robot or manipulate actions.Robot joints can be controlled over these ports, robot actions updated/changed or configurations modified. Connecting a special USB device, that act as a keyboard, can type malicious commands to the robot or change settings. Credits to: Cesar Cerrudo and Lucas Apa from IOActive",
    "cwe": "CWE-Command Injection - Generic (CWE-77)",
    "cve": "None",
    "keywords": [
        "components hardware",
        "robot component: Universal Robots Controller",
        "severity: high",
        "state: new",
        "vendor: Universal Robots",
        "vulnerability"
    ],
    "system": "Universal Robots Controller",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 7.0,
        "rvss-vector": "RVSS:1.0/AV:PI/AC:H/PR:N/UI:N/Y:T/S:U/C:N/I:H/A:N/H:H",
        "severity-description": "high",
        "cvss-score": 4.2,
        "cvss-vector": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
    },
    "links": [
        "https://ioactive.com/pdfs/Hacking-Robots-Before-Skynet-Technical-Appendix.pdf",
        "https://ioactive.com/exploiting-industrial-collaborative-robots/",
        "https://github.com/aliasrobotics/RVD/issues/34"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "subject-specific",
        "architectural-location": "application-specific code",
        "application": "manipulation",
        "subsystem": "actuation:manipulator",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2017-03-01",
        "detected-by": "Lucas Apa (IOActive)",
        "detected-by-method": "testing violation",
        "date-reported": "2017-03-01",
        "reported-by": "Lucas Apa (IOActive)",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/6",
        "reproducibility": "always",
        "trace": null,
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": null
    }
}
github-actions[bot] commented 5 years ago

Feedback (automatically generated):

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.