CVE-2018-20785

{"id": "CVE-2018-20785", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.4}]}, "published": "2019-02-23T14:29:00.427", "references": [{"url": "https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuum-cleaners#t=745", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices. During startup, the AM335x secure boot feature decrypts and executes firmware. Secure boot can be bypassed by starting with certain commands to the USB serial port. Although a power cycle occurs, this does not completely reset the chip: memory contents are still in place. Also, it restarts into a boot menu that enables XMODEM upload and execution of an unsigned QNX IFS system image, thereby completing the bypass of secure boot. Moreover, the attacker can craft custom IFS data and write it to unused memory to extract all memory contents that had previously been present. This includes the original firmware and sensitive information such as Wi-Fi credentials."}, {"lang": "es", "value": "Puede lograrse la omisi\u00f3n del arranque seguro y la extracci\u00f3n de memoria en dispositivos Neato Botvac Connected 2.2.0. Durante el arranque, la caracter\u00edstica de arranque seguro de AM335x descifra y ejecuta firmware. El arranque seguro puede omitirse al comenzar con ciertos comandos en el puerto en serie USB. Aunque ocurre un ciclo de encendido, esto no reinicia por completo el chip: el contenido de la memoria sigue en su sitio. Adem\u00e1s, se reinicia en un men\u00fa de arranque que habilita la subida y ejecuci\u00f3n XMODEM de una imagen del sistema QNX IFS no firmada, por lo que se completa la omisi\u00f3n del arranque seguro. Adem\u00e1s, el atacante puede manipular datos IFS personalizados y escribirlos en la memoria no utilizada para extraer todo el contenido de la memoria que hab\u00eda estado previamente presente. Esto incluye el firmware original e informaci\u00f3n sensible, como las credenciales wifi."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_d4_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5F39FEF-F0CD-47D3-A76F-20688D6F2E58"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_d4_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4AAFEF4A-DBE0-4ED5-BC9B-DE085A4B17A1"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_d6_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63C8908D-FD7C-446C-B85B-C312B5337294"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_d6_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CFD5F294-65E5-4D9E-A6D6-BE61333FBD16"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_d5_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "393A3329-4841-4599-9598-508DCF3B26B9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_d5_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "70999A82-A525-46AC-A2E1-03683AC79671"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_d7_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30356F2E-BB23-45B3-BAE7-D0CBAF4BA6C8"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_d7_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EC421B90-A38E-45D9-AF16-ACFC332093D2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_d3_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD8E795F-8B0D-4650-B66D-6797012EE5A7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_d3_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9A240FF2-EB9C-4A12-A382-69F03397A09D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_d3_pro_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C52FADA5-99C7-491D-B614-549221BFB2BA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_d3_pro_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FF2B65F8-E908-4058-A2F6-919452FE6BFF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:neatorobotics:botvac_connected_firmware:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B542B9AD-E056-49A8-ADF2-FD108ECBB942"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:neatorobotics:botvac_connected:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3ED28CBB-4372-4CA3-AA13-290480A52E4A"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}