RVD icon indicating copy to clipboard operation
RVD copied to clipboard

Published 20 hours ago verified publisher icon aliasrobotics

RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0

Open vmayoral opened this issue 4 years ago • 4 comments 

id: 3315
title: 'RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0'
type: vulnerability
description:  This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol
  and allows a remote attacker to gain access to sensitive information provided it has
  access to the communication medium. MAVLink is a header-based protocol that does 
  not perform encryption to improve transfer (and reception speed) and efficiency by 
  design. The increasing popularity of the protocol (used accross different autopilots) 
  has led to its use in wired and wireless mediums through insecure communication 
  channels exposing sensitive information to a remote attacker with ability to intercept 
  network traffic.
cwe: CWE-319
cve: CVE-2020-10281
keywords:
- MAVLink
- v1.0
- v2.0
- PX4
- Ardupilot
system: "MAVLink: v2.0 and before"
vendor: "PX4"
severity:
  rvss-score: 7.3
  rvss-vector: RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/S:U/Y:T/C:H/I:N/A:N/H:N
  severity-description: high
  cvss-score: 7.5
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
links:
- https://arxiv.org/abs/1906.10641
- https://arxiv.org/abs/1905.00265
- https://docs.google.com/document/d/1ETle6qQRcaNWAmpG2wz0oOpFKSF_bcTmYMQvtTGI8ns/edit
- https://docs.google.com/document/d/1upZ_KnEgK3Hk1j0DfSHl9AdKFMoSqkAQVeK8LsngvEU/edit
- https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit
flaw:
  phase: unknown
  specificity: subject-specific
  architectural-location: platform code
  application: Flying vehicles and/or others using MAVLink protocol.
  subsystem: communication
  package: N/A
  languages: C, C++
  date-detected: 
  detected-by: 
  detected-by-method: testing
  date-reported: '2020-06-30'
  reported-by: "Victor Mayoral Vilches (Alias Robotics)"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/3315
  reproducibility: always
  trace: N/A
  reproduction: N/A
  reproduction-image: N/A
exploitation:
  description: Not available
  exploitation-image: Not available
  exploitation-vector: Not available
  exploitation-recipe: ''
mitigation:
  description: See https://arxiv.org/abs/1905.00265 for a first approach though not source code was found at the time of reporting.
  pull-request: N/A
  date-mitigation: null

vmayoral avatar Jun 30 '20 16:06 vmayoral

Likely applying also to other robot components. Ping @glerapic, let me know if you disagree with this ticket, otherwise I'm requesting the CVE ID preliminarily assigned.

vmayoral avatar Jun 30 '20 16:06 vmayoral

LGTM!

glerapic avatar Jul 01 '20 06:07 glerapic

Assigned a CVE ID, sent a PR to the upstream CVE List repo https://github.com/CVEProject/cvelist/pull/4247

vmayoral avatar Jul 03 '20 14:07 vmayoral

You can remove on ArduPilot : if you are speaking of status_text that is only debug information, mostly send when you got a failure, you cannot do anything with that ...

khancyr avatar Aug 21 '20 12:08 khancyr