RVD#3321: No Authentication required to exert manual control of the robot

[rvd-bot]

id: 3321
title: 'RVD#3321: No Authentication required to exert manual control of the robot'
type: vulnerability
description: No authentication is required to control the robot inside the network,
  moreso the latest available user manual shows an option that lets the user to add
  a password to the robot but as in xarm_studio 1.3.0 the option is missing from the
  menu. Assuming manual control, even by forcefully removing the current operator
  from an active session.
cwe: CWE-656
cve: CVE-2020-10284
keywords:
- xArm5 Lite, xArm6, xArm7, authentication
system: 'xArm5 Lite, xArm6, xArm7: v1.5.0 and before'
vendor: uFactory
severity:
  rvss-score: 10.0
  rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/S:U/Y:Z/C:N/I:H/A:H/H:H
  severity-description: critical
  cvss-score: 10.0
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
links:
- https://cwe.mitre.org/data/definitions/656.html
- https://github.com/aliasrobotics/RVD/issues/3321
- https://www.ufactory.cc/#/en/support/download/xarm
flaw:
  phase: runtime-operation
  specificity: general-issue
  architectural-location: null
  application: xarm_studio v1.3.0
  subsystem: N/A
  package: N/A
  languages: N/A
  date-detected: 2020-06-18
  detected-by: Alfonso Glera (Alias Robotics)
  detected-by-method: testing-dynamic
  date-reported: '2020-07-15'
  reported-by: "V\xEDctor Mayoral Vilches (Alias Robotics)"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/3321
  reproducibility: always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe: ''
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null