RVD#44: Weak authentication on robot's main computer

[aliasbot]

{
    "id": 44,
    "title": "RVD#44: Weak authentication on robot's main computer",
    "type": "vulnerability",
    "description": "Researchers discovered that an attacker can bypass the User Authentication System (UAS) because of several implementation flaws: \r\n1) disabled authentication during system boot\r\n2) use of a default user name (without a password) that cannot be changed or removed\r\n3) the use of a specific user that comes with a set of unchangeable hardcoded credentialsIt is possible to violate a robot\u2019s integrity through the control-loop alteration and calibration parameters tampering approaches described earlier. We wanted to overshoot the joints in order to collapse the robot on itself and force the servo motors beyond their physical, structural limits. Note that this attack is costly and potentially destructive because its goal is to damage the robot.Alternatively, an attacker could use the robot state alteration approach to repeatedly and abruptly start and stop a servo motor, causing electromechanical components, the brakes, and the servo motor to wear.  Acknowledgement: Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea M. Zanchettin, Stefano Zanero",
    "cwe": "CWE-Improper Authentication - Generic (CWE-287)",
    "cve": "None",
    "keywords": [
        "components hardware",
        "malformed",
        "robot component: IRB140's main computer",
        "severity: high",
        "state: new",
        "vendor: ABB",
        "vulnerability"
    ],
    "system": "IRB140's main computer",
    "vendor": "ABB",
    "severity": {
        "rvss-score": "None",
        "rvss-vector": "RVSS:1.0/AV:RN/AC:L/PR:H/UI:N/Y:T/S:U/C:N/I:H/A:L/H:H",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/44"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2017-05-03",
        "detected-by": "",
        "detected-by-method": "N/A",
        "date-reported": "2017-05-03",
        "reported-by": "",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/44",
        "reproducibility": "",
        "trace": null,
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": null
    }
}

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

[github-actions[bot]]

Feedback (automatically generated):

• FIXME: Robot or Robot component not present in summary table or invalid, see for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.