Strix
26.1K

CVE-2020-10267

HIGHCVSS 7.5/10EPSS 0.93%

Last modified

CVE-2020-10267 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. EPSS estimates a 0.93% chance of exploitation in the next 30 days.

Description

Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.93%

56.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Universal-RobotsUr Software>= 3.0.14989, <= 3.1.18213

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-10267?
Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property.
How severe is CVE-2020-10267?
CVE-2020-10267 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.93% probability of exploitation in the next 30 days.
How do I fix CVE-2020-10267?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-10267?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST