Open
Description
id: 2562
title: 'RVD#2562: Booting from a live image leads to exfiltration of sensible information
and privilege escalation'
type: vulnerability
description: There is no mechanism in place to prevent a bad operator to boot from
a live OS image, this can lead to extraction of sensible files (such as the shadow
file) or privilege escalation by manually adding a new user with sudo privileges
on the machine.
cwe: CWE-656
cve: CVE-2020-10277
keywords:
- MiR100, MiR200, MiR500, MiR250, MiR1000, ER200, ER-Lite, ER-Flex,
ER-One, UVD
system: MiR100:v2.8.1.1 and before, MiR200, MiR250, MiR500, MiR1000, ER200,
ER-Lite, ER-Flex, ER-One, UVD
vendor: Mobile Industrial Robots A/S, EasyRobotics, Enabled Robotics, UVD Robots
severity:
rvss-score: 7.3
rvss-vector: RVSS:1.0/AV:PR/AC:L/PR:N/UI:N/S:U/Y:Z/C:H/I:L/A:H/H:N/
severity-description: high
cvss-score: 6.4
cvss-vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
links:
- https://cwe.mitre.org/data/definitions/656.html
- https://github.com/aliasrobotics/RVD/issues/2562
flaw:
phase: testing
specificity: General Issue
architectural-location: application-specific
application: Ubuntu
subsystem: N/A
package: N/A
languages: N/A
date-detected: 2020-06-11
detected-by: Lander Usategui, Alfonso Glera (Alias Robotics)
detected-by-method: testing-dynamic
date-reported: '2020-06-24'
reported-by: "Victor Mayoral Vilches (Alias Robotics)"
reported-by-relationship: security researcher
issue: https://github.com/aliasrobotics/RVD/issues/2562
reproducibility: always
trace: Not disclosed
reproduction: Not disclosed
reproduction-image: Not disclosed
exploitation:
description: Not disclosed
exploitation-image: Not disclosed
exploitation-vector: Not disclosed
exploitation-recipe: ''
mitigation:
description: Not disclosed
pull-request: Not disclosed
date-mitigation: null