cnvd - cnvd-2020-47961

CNVD-2020-47961

Vulnerability from cnvd - Published: 2020-08-25

Title

Micro Air Vehicle Link路径遍历漏洞

Description

Micro Air Vehicle Link（MAVLink）是Dronecode项目的一款轻量级的消息传输协议，它主要用于地面控制终端（地面站）与无人机之间 (以及机载无人机组件之间) 的通信。 Micro Air Vehicle Link (MAVLink)协议中存在安全漏洞，该漏洞源于程序使用问答机制进行版本协商，未能采用身份验证机制。攻击者可借助特制的软件包利用该漏洞绕过身份验证，直接与自动驾驶系统进行交互。

Severity

高

Patch Name

Micro Air Vehicle Link路径遍历漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://mavlink.io/

Reference

https://github.com/aliasrobotics/RVD/issues/3316

Impacted products

Name
mavlink Micro Air Vehicle Link

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-10283",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-10283"
    }
  },
  "description": "Micro Air Vehicle Link\uff08MAVLink\uff09\u662fDronecode\u9879\u76ee\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684\u6d88\u606f\u4f20\u8f93\u534f\u8bae\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u5730\u9762\u63a7\u5236\u7ec8\u7aef\uff08\u5730\u9762\u7ad9\uff09\u4e0e\u65e0\u4eba\u673a\u4e4b\u95f4 (\u4ee5\u53ca\u673a\u8f7d\u65e0\u4eba\u673a\u7ec4\u4ef6\u4e4b\u95f4) \u7684\u901a\u4fe1\u3002\n\nMicro Air Vehicle Link (MAVLink)\u534f\u8bae\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u95ee\u7b54\u673a\u5236\u8fdb\u884c\u7248\u672c\u534f\u5546\uff0c\u672a\u80fd\u91c7\u7528\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u3002 \u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u8f6f\u4ef6\u5305\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u76f4\u63a5\u4e0e\u81ea\u52a8\u9a7e\u9a76\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://mavlink.io/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-47961",
  "openTime": "2020-08-25",
  "patchDescription": "Micro Air Vehicle Link\uff08MAVLink\uff09\u662fDronecode\u9879\u76ee\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684\u6d88\u606f\u4f20\u8f93\u534f\u8bae\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u5730\u9762\u63a7\u5236\u7ec8\u7aef\uff08\u5730\u9762\u7ad9\uff09\u4e0e\u65e0\u4eba\u673a\u4e4b\u95f4 (\u4ee5\u53ca\u673a\u8f7d\u65e0\u4eba\u673a\u7ec4\u4ef6\u4e4b\u95f4) \u7684\u901a\u4fe1\u3002\r\n\r\nMicro Air Vehicle Link (MAVLink)\u534f\u8bae\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u95ee\u7b54\u673a\u5236\u8fdb\u884c\u7248\u672c\u534f\u5546\uff0c\u672a\u80fd\u91c7\u7528\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u8f6f\u4ef6\u5305\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u76f4\u63a5\u4e0e\u81ea\u52a8\u9a7e\u9a76\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Micro Air Vehicle Link\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "mavlink Micro Air Vehicle Link"
  },
  "referenceLink": "https://github.com/aliasrobotics/RVD/issues/3316",
  "serverity": "\u9ad8",
  "submitTime": "2020-08-21",
  "title": "Micro Air Vehicle Link\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2020-10283 (GCVE-0-2020-10283)

Vulnerability from cvelistv5 – Published: 2020-08-20 08:15 – Updated: 2024-09-16 17:08

Summary

The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly.

Severity ?

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-288

Assigner

Alias

References

URL

Tags

https://github.com/aliasrobotics/RVD/issues/3316

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	PX4	MAVLink	Affected: 2.0

Credits

Victor Mayoral Vilches (Alias Robotics)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:58:40.387Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/aliasrobotics/RVD/issues/3316"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MAVLink",
          "vendor": "PX4",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Victor Mayoral Vilches (Alias Robotics)"
        }
      ],
      "datePublic": "2020-08-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-20T08:15:12",
        "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "shortName": "Alias"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aliasrobotics/RVD/issues/3316"
        }
      ],
      "source": {
        "defect": [
          "RVD#3317"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "RVD#3317: MAVLink version handshaking allows for an attacker to bypass authentication",
      "x_generator": {
        "engine": "Robot Vulnerability Database (RVD)"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@aliasrobotics.com",
          "DATE_PUBLIC": "2020-08-20T08:07:15 +00:00",
          "ID": "CVE-2020-10283",
          "STATE": "PUBLIC",
          "TITLE": "RVD#3317: MAVLink version handshaking allows for an attacker to bypass authentication"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MAVLink",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "PX4"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Victor Mayoral Vilches (Alias Robotics)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly."
            }
          ]
        },
        "generator": {
          "engine": "Robot Vulnerability Database (RVD)"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "high",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-288"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/aliasrobotics/RVD/issues/3316",
              "refsource": "CONFIRM",
              "url": "https://github.com/aliasrobotics/RVD/issues/3316"
            }
          ]
        },
        "source": {
          "defect": [
            "RVD#3317"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
    "assignerShortName": "Alias",
    "cveId": "CVE-2020-10283",
    "datePublished": "2020-08-20T08:15:13.054378Z",
    "dateReserved": "2020-03-10T00:00:00",
    "dateUpdated": "2024-09-16T17:08:41.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-47961

CVE-2020-10283 (GCVE-0-2020-10283)

Tags

Sightings

Nomenclature