header-includes: | \usepackage{afterpage} ...
\newpage \definecolor{titlebackground}{HTML}{313131} \pagecolor{titlebackground!20}\afterpage{\nopagecolor}
\newpage
A (likely incomplete) list of the security findings contributed while building this manual is summarized below. This list is provided as a reference of what type of security flaws one should expect in modern robot technologies.
Refer to each one of the security flaws and/or the corresponding advisories for additional details:
| CVE ID | Description | Scope | CVSS | Notes |
|---|---|---|---|---|
| CVE-2019-19625 | The tools to generate and distribute keys for ROS 2 (SROS2) and use the underlying security plugins of DDS from ROS 2 leak node information due to a leaky default configuration (link). This exposure was first raised in the Security Workshop of ROSCon 2019 (Nov. 2019). Further debugging the flaw indicates that there might be some additional underlying issues. | ROS 2 Eloquent, Dashing | 7.5 | A first attempt to mitigate it in here. No further time allocated. |
| CVE-2019-19626 | Bash scripts (magic UR files) get launched automatically with root privileges and without validation or sanitizing | CB-series UR3, UR5, UR10 | 6.8 (10.0 with RVSS) | CB 3.1 3.4.5-100 |
| CVE-2019-19627 | SROS2 leaks node information, regardless of rtps_protection_kind setup |
ROS 2 Eloquent, ROS 2 Dashing | 6.5 | Confirmed with FastRTPS DDS implementation as the underlying communication middleware of ROS 2 |
| CVE-2020-10264 | RTDE Interface allows unauthenticated reading of robot data and unauthenticated writing of registers and outputs | CB-series 3.1 UR3, UR5, UR10, e-series UR3e, UR5e, UR10e, UR16e | 9.8 | CB 3.1 SW Version 3.3 and upwards, e-series SW version 5.0 and upwards |
| CVE-2020-10265 | UR dashboard server enables unauthenticated remote control of core robot functions | CB-series 2 and 3.1 UR3, UR5, UR10, e-series UR3e, UR5e, UR10e, UR16e | 9.4 | Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards |
| CVE-2020-10266 | No integrity checks on UR+ platform artifacts when installed in the robot | CB-series 3.1 UR3, UR5, UR10 | 8.8 | CB-series 3.1 FW versions 3.3 up to 3.12.1. Possibly affects older robots and newer (e-series) |
| CVE-2020-10267 | Unprotected intelectual property in Universal Robots controller CB 3.1 across firmware versions | CB-series 3.1 UR3, UR5 and UR10 | 7.5 | tested on 3.13.0, 3.12.1, 3.12, 3.11 and 3.10.0 |
| CVE-2020-10268 | Terminate Critical Services in KUKA controller KR C4 | KR3R540, KRC4, KSS8.5.7HF1, Win7_Embedded | 6.1 | Breaks robot calibration, requires afterwards special tools. |
| CVE-2020-10269 | Hardcoded Credentials on MiRX00 wireless Access Point | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 9.8 | firmware v2.8.1.1 and before |
| CVE-2020-10270 | Hardcoded Credentials on MiRX00 Control Dashboard | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 9.8 | v2.8.1.1 and before |
| CVE-2020-10271 | MiR ROS computational graph is exposed to all network interfaces, including poorly secured wireless networks and open wired ones | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 10.0 | v2.8.1.1 and before |
| CVE-2020-10272 | MiR ROS computational graph presents no authentication mechanisms | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 10.0 | v2.8.1.1 and before |
| CVE-2020-10273 | Unprotected intellectual property in Mobile Industrial Robots (MiR) controllers | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 7.5 | v2.8.1.1 and before |
| CVE-2020-10274 | MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps) | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 7.1 | v2.8.1.1 and before |
| CVE-2020-10275 | Weak token generation for the REST API | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 9.8 | v2.8.1.1 and before |
| CVE-2020-10276 | Default credentials on SICK PLC allows disabling safety features | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 9.8 | v2.8.1.1 and before |
| CVE-2020-10277 | Booting from a live image leads to exfiltration of sensible information and privilege escalation | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 6.4 | v2.8.1.1 and before |
| CVE-2020-10278 | Unprotected BIOS allows user to boot from live OS image | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 6.1 | v2.8.1.1 and before |
| CVE-2020-10279 | Insecure operating system defaults in MiR robots | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 10.0 | v2.8.1.1 and before |
| CVE-2020-10280 | Apache server is vulnerable to a DoS | MiR100, MiR250, MiR200, MiR500, MiR1000, ER200, ER-Flex, ER-Lite, UVD Robots model A, model B | 8.2 | v2.8.1.1 and before |
| CVE-2020-10281 | Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0 | MAVLink and related autopilots (ArduPilot, PX4) | 7.5 | MAVLink v2.0 and before |
| CVE-2020-10282 | No authentication in MAVLink protocol | MAVLink 1.0 and related autopilots (ArduPilot, PX4) | 9.8 | |
| CVE-2020-10283 | MAVLink version handshaking allows for an attacker to bypass authentication | MAVLink 2.0 and before in all related autopilots (ArduPilot, PX4) | 10.0 | |
| CVE-2020-10284 | No Authentication required to exert manual control of the robot | xArm5, xArm6, xArm7 | 10.0 | v1.5.0 and before |
| CVE-2020-10285 | Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks | xArm5, xArm6, xArm7 | 8.3 | v1.5.0 and before |
| CVE-2020-10286 | Mismanaged permission implementation leads to privilege escalation, exfiltration of sensitive information, and DoS | xArm5, xArm6, xArm7 | 8.3 | v1.5.0 and before |
| CVE-2020-10287 | Hardcoded default credentials on IRC 5 OPC Server | ABB IRB140 IRC5 | 9.1 | |
| CVE-2020-10288 | No authentication required for accesing ABB IRC5 FTP serve | ABB's IRB140, IRC5, Robotware_5.09, VxWorks5.5.1 | 9.8 | |
| CVE-2020-10289 | Use of unsafe yaml load, ./src/actionlib/tools/library.py | ROS Jade, Kinetic, Lunar, Melodic and Noetic | 8.0 | Mitigated in PR-Melodic and PR-Noetic |
| CVE-2020-10290 | Universal Robots URCaps execute with unbounded privileges | CB-series 3.1 UR3, UR5 and UR10 | 6.8 | |
| CVE-2020-10291 | System information disclosure without authentication on KUKA simulators | KUKA Visual Components Network License Server 2.0.8 | 7.5 | |
| CVE-2020-10292 | Service DoS through arbitrary pointer dereferencing on KUKA simulator | KUKA Visual Components Network License Server 2.0.8 | 8.2 | |
| CVE-2021-38445 | OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code. | OpenDDS, ROS 2* | 7.0 | Failed assertion >= 3.18.1 |
| CVE-2021-38447 | OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition. | OpenDDS, ROS 2* | 8.6 | Resource exhaustion >= 3.18.1 |
| CVE-2021-38435 | RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later do not correctly calculate the size when allocating the buffer, which may result in a buffer overflow | ConnextDDS, ROS 2* | 8.6 | Segmentation fault via network >= 6.1.0 |
| CVE-2021-38423 | All versions of GurumDDS improperly calculate the size to be used when allocating the buffer, which may result in a buffer overflow. | GurumDDS, ROS 2* | 8.6 | Segmentation fault via network |
| CVE-2021-38439 | All versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code. | GurumDDS, ROS 2* | 8.6 | Heap-overflow via network |
| CVE-2021-38437 | GurumDDS, ROS 2* | 7.3 | Unmaintained XML lib. | |
| CVE-2021-38441 | Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | CycloneDDS, ROS 2* | 6.6 | Heap-write in XML parser |
| CVE-2021-38443 | Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | CycloneDDS, ROS 2* | 6.6 | 8-bytes heap-write in XML parser |
| CVE-2021-38427 | RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code | RTI ConnextDDS, ROS 2* | 6.6 | Stack overflow in XML parser >= 6.1.0 |
| CVE-2021-38433 | RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code. | RTI ConnextDDS, ROS 2* | 6.6 | Stack overflow in XML parser >= 6.1.0 |
| CVE-2021-38487 | RTI Connext DDS Professional, Connext DDS Secure Versions 4.2x to 6.1.0, and Connext DDS Micro Versions 3.0.0 and later are vulnerable when an attacker sends a specially crafted packet to flood victims’ devices with unwanted traffic, which may result in a denial-of-service condition. | ConnextDDS, ROS 2* | 8.6 | Mitigation patch in >= 6.1.0 |
| CVE-2021-38429 | OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood victims’ devices with unwanted traffic, which may result in a denial-of-service condition. | OpenDDS, ROS 2* | 8.6 | Mitigation patch in >= 3.18.1 |
| CVE-2021-38425 | eProsima Fast-DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition. | eProsima Fast-DDS, ROS 2* | 8.6 | WIP mitigation in master |
*: All ROS 2 versions in scope if powered by the vulnerable DDS middleware implementation.