aliasrobotics
RVD#68: Improper Access Control on IRB140's FlexPendant
id: 68
title: 'RVD#68: Improper Access Control on IRB140''s FlexPendant'
type: vulnerability
description: "Researchers found some issues in the compliance tool that comes with\
\ the FlexPendant software development kit (SDK). The tool does not actually enforce\
\ certain important restrictions, including preventing the use of namespaces that\
\ allow access to raw file system and RobAPI capabilities. Reported as RVDP.\r\n\
\ \_Acknowledgement: Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi,\
\ Andrea M. Zanchettin, Stefano Zanero"
cwe: CWE-Improper Access Control - Generic (CWE-284)
cve: None
keywords:
- components hardware
- malformed
- 'robot component: IRB140''s flex pendant'
- 'severity: medium'
- 'state: new'
- 'vendor: ABB'
- vulnerability
system: IRB140's flex pendant
vendor: ABB
severity:
rvss-score: 6.5
rvss-vector: RVSS:1.0/AV:RN/AC:H/PR:N/UI:N/Y:T/S:U/C:H/I:N/A:N/H:N
severity-description: 'medium'
cvss-score: 0
cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/68
- https://www.trendmicro.es/media/wp/industrial-robot-security-wp-en.pdf
- https://github.com/aliasrobotics/RVD/issues/63
flaw:
phase: unknown
specificity: N/A
architectural-location: N/A
application: N/A
subsystem: N/A
package: N/A
languages: None
date-detected: '2017-05-03'
detected-by: ''
detected-by-method: N/A
date-reported: '2017-05-03'
reported-by: ''
reported-by-relationship: N/A
issue: https://github.com/aliasrobotics/RVD/issues/68
reproducibility: ''
trace: null
reproduction: ''
reproduction-image: ''
exploitation:
description: ''
exploitation-image: ''
exploitation-vector: ''
exploitation-recipe: ''
mitigation:
description: ''
pull-request: ''
date-mitigation: null
Feedback (automatically generated):
-
FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included
# Vulnerability (or Weakness or Exposure) reportat the top of the ticket?, seefor more information or review other tickets to get inspiration
Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Feedback (automatically generated):
-
FIXME:
RobotorRobot componentnot present in summary table or invalid, see
Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.
No information was found about whether this fix has been addressed or not. Maintaining as is for now.
Excuse me. Have you successfully reproduced the vulnerabilities from RVD#63 to RVD#68? I want to reproduce them, but I've got some trouble.
Hello @Starsuki, thanks for the ping. I don't think this ticket was triaged by us just yet but the original authors did reported and provide enough evidence. This ticket probably got automatically fetched by our scan jobs. I'll add the triage label and update its syntax to the latest one.
Triage-wise, we have limited bandwidth but always open to cooperate. Could you describe a bit more what's your status right now? What are you exactly struggling with? What are the steps you've followed to reproduce it so far?
ping @glerapic
Hello @Starsuki we should be able to triage this ticket this ticket in our lab. As @vmayoral said the main problem we have ATM is bandwidth, but always happy to collaborate with the community, feel free to contact us.
