PSA-011: DOS on Web Interface

CVE-2020-10280

Note

This Product Security Advisory is based on a thorough investigation and all findings that were available at the time of publication. Should new information on the matter become available, it is possible that the initial assessment changes and the Advisory will be updated.

Statement

We hereby inform that the following MiR products:

are affected by:

Overview

An attacker can cause denial of service of the Apache web server by flooding the web interface endpoints with requests.

References

NIST NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-10280

Mitigations

• In software version 3.4 and newer, the Apache web server’s configuration is improved to provide more resilience against denial-of-service attacks.

Recommended Actions

• Fully guarding against denial-of-service attacks is beyond the capabilities of industrial robots and is much more effectively implemented using network solutions in the IT network of the operator, if such protection is at all desired by the operator.

• Please be aware that MiR products must be operated in a secured WiFi network. Perform a risk assessment for this attack scenario and consider implementing defense mechanisms against DoS attacks on the network level.