RVD#3327: No authentication required for accesing ABB IRC5 FTP server

[rvd-bot]

id: 3327
title: 'RVD#3327: No authentication required for accesing ABB IRC5 FTP server'
type: vulnerability
description: IRC5 exposes an ftp server (port 21). Upon attempting to gain access
  you are challenged with a request of username and password, however you can input
  whatever you like. As long as the field isn't empty it will be accepted.
cwe: CWE-284
cve: CVE-2020-10288
keywords:
- IRC5, FTP, Autentication
system: IRB140, IRC5, Robotware_5.09, VxWorks5.5.1
vendor: ABB
severity:
  rvss-score: 9.4
  rvss-vector: RVSS:1.0/AV:IN/AC:H/PR:L/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
  severity-description: Critical
  cvss-score: 9.8
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://cwe.mitre.org/data/definitions/284.html
- https://github.com/aliasrobotics/RVD/issues/3327
flaw:
  phase: testing
  specificity: general-issue
  architectural-location: Plataform code
  application: FTP server
  subsystem: UI:Login
  package: N/A
  languages: None
  date-detected: 2020-05-11
  detected-by: Alfonso Glera, Victor Mayoral Vilches (Alias Robotics)
  detected-by-method: testing dynamic, Nmap.
  date-reported: '2020-07-15'
  reported-by: Victor Mayoral Vilches
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/3327
  reproducibility: Always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe: ''
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null