CVE-2018-17177

Published: Sep 18, 2018Modified: Nov 21, 2024

2.4

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 0.9 / Impact: 1.4

Source: NVD

Description

An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.

Affected (6)

Products: Neatorobotics: Botvac D4 Connected Firmware, Botvac D6 Connected Firmware, Botvac D5 Connected Firmware, Botvac D7 Connected Firmware, Botvac D3 Connected Firmware, Botvac 85 Firmware

Neatorobotics

6 products

Botvac D4 Connected Firmware

Botvac D6 Connected Firmware

Botvac D5 Connected Firmware

Botvac D7 Connected Firmware

Botvac D3 Connected Firmware

Botvac 85 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Neatorobotics Botvac D4 Connected Firmware	Version 2.2.0

Running on/with	Platform Versions
Neatorobotics Botvac D4 Connected	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Neatorobotics Botvac D6 Connected Firmware	Version 2.2.0

Running on/with	Platform Versions
Neatorobotics Botvac D6 Connected	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Neatorobotics Botvac D5 Connected Firmware	Version 2.2.0

Running on/with	Platform Versions
Neatorobotics Botvac D5 Connected	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Neatorobotics Botvac D7 Connected Firmware	Version 2.2.0

Running on/with	Platform Versions
Neatorobotics Botvac D7 Connected	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Neatorobotics Botvac D3 Connected Firmware	Version 2.2.0

Running on/with	Platform Versions
Neatorobotics Botvac D3 Connected	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Neatorobotics Botvac 85 Firmware	Version 1.2.1

Running on/with	Platform Versions
Neatorobotics Botvac 85 Connected	All versions

Related CWEs

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (2)

https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuum-cleaners

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

https://media.ccc.de/v/2018-124-pinky-brain-are-taking-over-the-world-with-vacuum-cleaners

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

Timeline

No history available yet.