id: 2558
title: 'RVD#2558: Default credentials on SICK PLC allows disabling safety features'
type: vulnerability
description: The password for the safety PLC is the default and thus easy to find
(in manuals, etc.). This allows a manipulated program to be uploaded to the safety
PLC, effectively disabling the emergency stop in case an object is too close to
the robot. Navigation and any other components dependent on the laser scanner are
not affected (thus it is hard to detect before something happens) though the laser
scanner configuration can also be affected altering further the safety of the device.
cwe: CWE-798
cve: CVE-2020-10276
keywords:
- MiR100, MiR200, MiR500, MiR250, MiR1000, ER200, ER-Lite, ER-Flex,
ER-One, UVD, Autentication
system: MiR100:v2.8.1.1 and before, MiR200, MiR250, MiR500, MiR1000, ER200,
ER-Lite, ER-Flex, ER-One, UVD
vendor: Mobile Industrial Robots A/S, EasyRobotics, Enabled Robotics, UVD Robots
severity:
rvss-score: 9.4
rvss-vector: RVSS:1.0/AV:IN/AC:H/PR:L/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
severity-description: Critical
cvss-score: 9.8
cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://cwe.mitre.org/data/definitions/798.html
- http://bernharddieber.com/publication/taurer2019mirsafety
- https://github.com/aliasrobotics/RVD/issues/2558
flaw:
phase: runtime-operation
specificity: general-issue
architectural-location: Plataform code
application: Safety PLC
subsystem: Sensing:Safety_PLC
package: N/A
languages: Flexi Soft Designer
date-detected: 2019-07-01
detected-by: Bernhard Dieber (Joanneum Research)
detected-by-method: testing dynamic
date-reported: '2020-06-24'
reported-by: "Victor Mayoral Vilches (Alias Robotics)"
reported-by-relationship: security researcher
issue: https://github.com/aliasrobotics/RVD/issues/2558
reproducibility: Always
trace: Not disclosed
reproduction: Not disclosed
reproduction-image: Not disclosed
exploitation:
description: Not disclosed
exploitation-image: Not disclosed
exploitation-vector: Not disclosed
exploitation-recipe:
networks:
- network:
- driver: overlay
- name: mireth-network
- encryption: false
containers:
- container:
- name: mir100
- modules:
- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_mir100:2.8.1.1
- network: mireth-network
- container:
- name: attacker
- modules:
- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:latest
- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest
- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
- network: mireth-network
flow:
- container:
- name: attacker
- window:
- name: attacker
- commands:
- command: 'export TARGET=$(nslookup mir100 | awk "NR==6{print$2}" | sed
"s/Address: //g")'
- command: robosploit -m exploits/mir/safety/plc_disable
- container:
- name: mir100
- window:
- name: setup
- commands:
- command: mkdir /var/run/sshd
- command: /usr/sbin/sshd
- command: /bin/sleep 5
- command: sudo mkdir /run/lock
- command: /etc/init.d/apache2 start
- split: horizontal
- command: /bin/sleep 2
- command: python /usr/local/mir/software/robot/release/db_backup.py
- command: /etc/init.d/mysql start
- command: /bin/sleep 2
- command: /usr/sbin/mysqld --verbose &
- window:
- name: ros
- commands:
- command: python /usr/local/mir/software/robot/release/db_backup.py
- command: sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80'
--recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
- command: sudo apt-get update
- command: roslaunch mirCommon mir_bringup.launch
- select: setup
- attach: attacker
mitigation:
description: Not disclosed
pull-request: Not disclosed
date-mitigation: null
