RVD#2561: Unprotected BIOS allows user to boot from live OS image.

[rvd-bot]

id: 2561
title: 'RVD#2561: Unprotected BIOS allows user to boot from live OS image.'
type: vulnerability
description: The BIOS onboard MiR's Computer is not protected by password, therefore,
  it allows a Bad Operator to modify settings such as boot order. This can be leveraged
  by a Malicious operator to boot from a Live Image.
cwe: CWE-284
cve: CVE-2020-10278
keywords:
- MiR100, MiR200, MiR500, MiR250, MiR1000, ER200, ER-Lite, ER-Flex,
  ER-One, UVD
system: MiR100:v2.8.1.1 and before, MiR200, MiR250, MiR500, MiR1000, ER200,
  ER-Lite, ER-Flex, ER-One, UVD
vendor: Mobile Industrial Robots A/S, EasyRobotics, Enabled Robotics, UVD Robots
severity:
  rvss-score: 7.1
  rvss-vector: RVSS:1.0/AV:PR/AC:L/PR:N/UI:N/S:C/Y:Z/C:N/I:L/A:H/H:N/
  severity-description: High
  cvss-score: 6.1
  cvss-vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
links:
- https://cwe.mitre.org/data/definitions/284.html
- https://github.com/aliasrobotics/RVD/issues/2561
flaw:
  phase: runtime-operation
  specificity: general issue
  architectural-location: platform-specific
  application: system-bios
  subsystem: N/A
  package: N/A
  languages: N/A
  date-detected: 2020-06-11
  detected-by: Lander Usategui, Alfonso Glera (Alias Robotics)
  detected-by-method: testing-dynamic
  date-reported: '2020-06-24'
  reported-by: "Victor Mayoral Vilches (Alias Robotics)"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/2561
  reproducibility: Always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe: ''
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null