RVD icon indicating copy to clipboard operation
RVD copied to clipboard
verified publisher icon aliasrobotics

RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot

Open rvd-bot opened this issue 5 years ago • 1 comments 

{
    "id": 1487,
    "title": "RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot",
    "type": "vulnerability",
    "description": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.",
    "cwe": "CWE-353 (Missing Support for Integrity Check)",
    "cve": CVE-2020-10266,
    "keywords": [
        "Universal Robots"
    ],
    "system": "CB3 SW Versions 3.3 up to 3.12.1",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 10.0,
        "rvss-vector": "RVSS:1.0/AV:AN/AC:L/PR:N/UI:R/Y:Z/S:U/C:H/I:H/A:H/H:H",
        "severity-description": "critical",
        "cvss-score": 8.8,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
    },
    "links": [
        "https://www.universal-robots.com/plus/",
        "https://www.universal-robots.com/plus/developer/",
        "https://github.com/aliasrobotics/RVD/issues/1487"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "general issue",
        "architectural-location": "platform code",
        "application": "industrial robot manipulator",
        "subsystem": "manipulation:actuation",
        "package": "libc6 2.19-11 i386",
        "languages": "C",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches <[email protected]>, Mike Karamousadakis, Lander Usategui San Juan",
        "detected-by-method": "testing",
        "date-reported": "2020-04-03",
        "reported-by": "Victor Mayoral Vilches <[email protected]>",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1487",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "https://www.youtube.com/watch?v=y4AB-l-zFR4",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "The lack of integrity checks in the URCaps downloaded from UR+ platform allow an attacker to take complete control of the robot and compromise confidentiality, integrity and availability. The UR+ SDK is widely available which allow malicious attackers to 'cook' malicious URCaps and ship them to targets via PITM attacks. User Interaction is required in the sense that she/he would need to install the .urcap in the robot.",
        "exploitation-image": "Not available",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "Digitally sign the UR+ platform components and check the signature during the intalation process.",
        "pull-request": "Not available",
        "date-mitigation": null
    }
}

rvd-bot avatar Apr 03 '20 14:04 rvd-bot

Demonstration available at https://www.youtube.com/watch?v=y4AB-l-zFR4

Reproduction simplified with the following alurity.yml file:

alurity.yml 
networks:
  - network:
    - driver: overlay
    - name: urnetwork
    - encryption: false

containers:
  - container:
    - name: ur_3121
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
         - network: urnetwork
    - cpus: 4
    - memory: 4096

  - container:
    - name: attacker
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
         - network: urnetwork

##################
# flow for testing and development
##################

flow:
  # - container:
  #   - name: attacker
  #   - window:
  #       - name: attacker
  #       - commands:
  #         - command: "sleep 3"
  #         - command: "nmap -sV -T5 ur_3121"
  #
  - container:
    - name: ur_3121
    - window:
        - name: gui
        - commands:
          - type: "source /root/run_gui.sh && $RUN_GUI"
          # - command: "source /root/run_gui.sh && $RUN_GUI"
    - window:
        - name: urcap
        - commands:
          # Launch ssh daemon
          - command: "mkdir /var/run/sshd"
          - command: "/usr/sbin/sshd"
          # # Fetch ROS Industrial driver's UR cap
          # - command: "cd /root/.urcaps && wget https://github.com/UniversalRobots/Universal_Robots_ROS_Driver/raw/master/ur_robot_driver/resources/externalcontrol-1.0.1.urcap"
          # Fetch a commercial dashboard solution for evaluation
          - command: "cd /programs && wget https://github.com/KimNyholm/web-dashboard-urcap/archive/v2.1.0.zip && unzip v2.1.0.zip"
          # Force install it
          - command: "cp /programs/web-dashboard-urcap-2.1.0/webdashboard-2.1.0.urcap /root/.urcaps"
          - split: horizontal
          - command: "htop"
#   - attach: attacker

vmayoral avatar Apr 03 '20 14:04 vmayoral