CVE-2018-17177
Last modified
CVE-2018-17177 is a low-severity vulnerability rated 2.4/10 on the CVSS scale. An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. EPSS estimates a 0.17% chance of exploitation in the next 30 days.
Description
An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.
Metrics
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Neatorobotics | Botvac D4 Connected Firmware | 2.2.0 |
| Neatorobotics | Botvac D6 Connected Firmware | 2.2.0 |
| Neatorobotics | Botvac D5 Connected Firmware | 2.2.0 |
| Neatorobotics | Botvac D7 Connected Firmware | 2.2.0 |
| Neatorobotics | Botvac D3 Connected Firmware | 2.2.0 |
| Neatorobotics | Botvac 85 Firmware | 1.2.1 |
References
- https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuum-cleanersExploit, Technical Description, Third Party Advisory
- https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuum-cleanersExploit, Technical Description, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-17177?
How severe is CVE-2018-17177?
How do I fix CVE-2018-17177?
Are you affected by CVE-2018-17177?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST