RVD#3327: No authentication required for accesing ABB IRC5 FTP server
rvd-bot opened this issue · 0 comments
rvd-bot commented
id: 3327
title: 'RVD#3327: No authentication required for accesing ABB IRC5 FTP server'
type: vulnerability
description: IRC5 exposes an ftp server (port 21). Upon attempting to gain access
you are challenged with a request of username and password, however you can input
whatever you like. As long as the field isn't empty it will be accepted.
cwe: CWE-284
cve: CVE-2020-10288
keywords:
- IRC5, FTP, Autentication
system: IRB140, IRC5, Robotware_5.09, VxWorks5.5.1
vendor: ABB
severity:
rvss-score: 9.4
rvss-vector: RVSS:1.0/AV:IN/AC:H/PR:L/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
severity-description: Critical
cvss-score: 9.8
cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://cwe.mitre.org/data/definitions/284.html
- https://github.com/aliasrobotics/RVD/issues/3327
flaw:
phase: testing
specificity: general-issue
architectural-location: Plataform code
application: FTP server
subsystem: UI:Login
package: N/A
languages: None
date-detected: 2020-05-11
detected-by: Alfonso Glera, Victor Mayoral Vilches (Alias Robotics)
detected-by-method: testing dynamic, Nmap.
date-reported: '2020-07-15'
reported-by: Victor Mayoral Vilches
reported-by-relationship: security researcher
issue: https://github.com/aliasrobotics/RVD/issues/3327
reproducibility: Always
trace: Not disclosed
reproduction: Not disclosed
reproduction-image: Not disclosed
exploitation:
description: Not disclosed
exploitation-image: Not disclosed
exploitation-vector: Not disclosed
exploitation-recipe: ''
mitigation:
description: Not disclosed
pull-request: Not disclosed
date-mitigation: null