CVE-2020-10291

{"id": "CVE-2020-10291", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "cve@aliasrobotics.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-11-06T12:15:11.633", "references": [{"url": "https://github.com/aliasrobotics/RVD/issues/3336", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@aliasrobotics.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "cve@aliasrobotics.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Visual Components (owned by KUKA) is a robotic simulator that allows simulating factories and robots in order toimprove planning and decision-making processes. Visual Components software requires a special license which can beobtained from a network license server. The network license server binds to all interfaces (0.0.0.0) and listensfor packets over UDP port 5093. No authentication/authorization is required in order to communicate with theserver. The protocol being used is a property protocol by RMS Sentinel which provides the licensing infrastructurefor the network license server. RMS Sentinel license manager service exposes UDP port 5093 which provides sensitivesystem information that could be leveraged for further exploitation without any kind of authentication. Thisinformation includes detailed hardware and OS characteristics.After a decryption process, a textual protocol is found which contains a simple header with the requested command,application-identifier, and some arguments. The protocol leaks information regarding the receiving serverinformation, license information and managing licenses, among others.Through this flaw, attackers can retreive information about a KUKA simulation system, particularly, the version ofthe licensing server, which is connected to the simulator, and which will allow them to launch local simulationswith similar characteristics, further understanding the dynamics of motion virtualization and opening doors toother attacks (see RVDP#711 and RVDP#712 for subsequent vulnerabilities that compromise integrity andavailability).Beyond compromising simulations, Visual Components provides capabilities to interface with industrial machinery.Particularly, their PLC Connectivity feature 'makes it easy' to connect simulations with control systems usingeither the industry standard OPC UA or other supported vendor specific interfaces. This fills the gap of jumpingfrom simulation to real and enables attackers to pivot from the Visual Components simulator to robots or otherIndustrial Control System (ICS) devices, such as PLCs."}, {"lang": "es", "value": "Visual Components (propiedad de KUKA) es un simulador rob\u00f3tico que permite simular f\u00e1bricas y robots para mejorar los procesos de planificaci\u00f3n y toma de decisiones. El software Visual Components requiere una licencia especial que puede ser obtenida desde un servidor de licencias de red. El servidor de licencias de red se enlaza a todas las interfaces (0.0.0.0) y escucha los paquetes a trav\u00e9s del puerto UDP 5093. No es requerida una autenticaci\u00f3n y autorizaci\u00f3n para comunicarse con el servidor. El protocolo que es usado es un protocolo propiedad de RMS Sentinel que proporciona la infraestructura de licencias para el servidor de licencias de red. El servicio administrador de licencias de RMS Sentinel expone el puerto UDP 5093 que provee informaci\u00f3n confidencial del sistema que podr\u00eda ser aprovechada para una nueva explotaci\u00f3n sin ning\u00fan tipo de autenticaci\u00f3n. Esta informaci\u00f3n incluye caracter\u00edsticas detalladas de hardware y OS. Despu\u00e9s de un proceso de descifrado, se encuentra un protocolo textual que contiene un encabezado simple con el comando solicitado, el identificador de la aplicaci\u00f3n y algunos argumentos. El protocolo filtra informaci\u00f3n sobre el servidor receptor, informaci\u00f3n de la licencia y la administraci\u00f3n de licencias, entre otros. Por medio de este fallo, los atacantes pueden recuperar informaci\u00f3n sobre un sistema de simulaci\u00f3n de KUKA, en particular, la versi\u00f3n del servidor de licencias, que est\u00e1 conectado al simulador, y que les permitir\u00eda iniciar simulaciones locales con caracter\u00edsticas similares, comprender mejor la din\u00e1mica de la virtualizaci\u00f3n de movimiento y abrir puertas a otros ataques (consulte RVDP # 711 y RVDP # 712 para conocer las vulnerabilidades posteriores que comprometen la integridad y la disponibilidad) . M\u00e1s all\u00e1 de comprometer las simulaciones, Visual Components provee capacidades para interactuar con la maquinaria industrial. Particularmente, su funcionalidad PLC Connectivity \"facilita\" la conexi\u00f3n de simulaciones con sistemas de control que usan el est\u00e1ndar industrial OPC UA u otras interfaces espec\u00edficas de proveedores compatibles. Esto llena el vac\u00edo de saltar de la simulaci\u00f3n a lo real y permite a atacantes pasar del simulador de componentes visuales hacia los robots u otros dispositivos del Sistema de Control Industrial (ICS), como los PLC"}], "lastModified": "2021-12-20T22:25:52.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kuka:visual_components_network_license_server:2.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37AF9A3F-EDE2-4943-B441-F32E1669B48A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@aliasrobotics.com"}