Published:2017/11/16  Last Updated:2017/11/16

JVN#76382932
Robotic appliance COCOROBO vulnerable to session management

Overview

Robotic appliance COCOROBO contains a vulnerability in session management.

Products Affected

  • RX-V200 firmware versions prior to 09.87.17.09
  • RX-V100 firmware versions prior to 03.29.17.09
  • RX-CLV1-P firmware versions prior to 79.17.17.09
  • RX-CLV2-B firmware versions prior to 89.07.17.09
  • RX-CLV3-N firmware versions prior to 91.09.17.10

Description

Robotic appliance COCOROBO provided by Sharp Corporation is a robot with cleaning function. Robotic appliance COCOROBO contains a vulnerability in session management (CWE-639).

Impact

An attacker on the same LAN may impersonate a user to accessing product. As a result, there is a possibility that an arbitrary operation may be conducted or information may be altered/disclosed.

Solution

Update the Firmware
Apply the appropriate firmware update according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Sharp Corporation Vulnerable 2017/11/16 Sharp Corporation website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score: 4.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:M/Au:N/C:P/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Kiyotaka ATSUMI of IoT Technology Laboratory, Cyber Grid Japan, LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-10890
JVN iPedia JVNDB-2017-000238