Mycroft associated vulnerabilities

Hello everyone,

I am using the Mycroft device for a pentesting thesis that I am finishing against this open source assistant and another company-owned device. After performing a Nmap scan against Mycroft, the Nmap tool outputed that it is vulnerable to CVE-2007-6750 (denial of service attacks) and CVE-2023-28370 (phishing redirection with a crafted url). Therefore, I tried to verify them, the things that I tried were:

  • CVE-2007-6750: I used the iaxflood tool, which is very powerful, and was very effective with multiple devices that I own. However, with Mycroft it was not sucessful at all, I verified it by sending pings to Mycroft while the attack was running and I could check that it was not making any effect. Is Mycroft protected against DoS attacks? Does it have a firewall or something that makes the attack not working?

  • CVE-2023-28370: What I frist tried was to know what files the server had, in order to do so I made several requests with the Postman tool. All of them were not successful, they outputed 404 Error. Then, I used the dirbuster, dirsearch and gobuster tools to discover directories on the server and I couldn’t find anything.

I need to justify why both attacks are not working as expected in my thesis, so I would be grateful if someone could help me with that and tell me what is hapenning.

Best regards.

MK2 runs on Debian BookWorm
Looking at this particular vulnerability:

Even though the kernel running on the MK2 seems to not be 6.x yet:
$ uname -a
Linux neon 5.15.72-v8+ #1 SMP PREEMPT Thu Oct 6 20:29:02 EDT 2022 aarch64 GNU/Linux

The other vulnerability you referenced to seems to be very old (as name implies 2007)

1 Like

We need more information to be informative. What software is the device running? If you aren’t sure, you can describe the logo you see when the unit powers on, that’d tell us.

For the OVOS Docker images, I’m using Trivy to scan the images, it gives me an overview of the current CVE per image (critical or not).


How can I see this information on a docker instance of this device? I don’t have the physical device.

Do you need more information apart from the software version?

The identity or source of the docker image would tell us. The problem is there is no “this device.”

The source of the image I downloaded is this url: Docker, I have the last version published here installed on my machine.

@goldyfruit was principally responsible for that image, so is best equipped to describe it, though I should note that both it and the original Mycroft-core are abandonware. The state of affairs:

As to the nature of the thing itself, I should also clarify that there are two elements. The Assistant, either Mycroft-core or a derivative, is software. That docker image, and the various Mycroft-based smart speaker images, are each separate, more or less opinionated implementations of the Assistant. Put differently, you aren’t running a docker version of the Mark II, you’re running a dockerized version of the Assistant.

Goldyfruit is now maintaining OVOS’ docker image (see FAQ) which we regard as much more “official” than MycroftAI did theirs. Our image kinda resembles what we put on a Mark II, when you run our smart speaker distro, but we’d sooner put most retail customers on NeonOS (see FAQ) which runs a heavily configured OVOS stack on a heavily opinionated system, with a whole bunch of their own utilities atop. Largely what we were hoping for in the first place, you might say, but not dockerized, afaik.

1 Like

The image you are using is from Mycroft AI team not from me and it has not been updated for a year now.

1 Like

Is that Docker image maybe for regular Mycroft Core, not for Dinkum? @goldyfruit @ChanceNCounter - and thank you for helping!

@Tony450 our Neon AI OS software is up here, in case that’s helpful - Neon AI · GitHub
and OpenVoiceOS has theirs here - OpenVoiceOS · GitHub

Mycroft’s software was split into two main versions, their Core, and their Dinkum rewrite. Neither is being maintained. If you need to complete your thesis based on the Mycroft software, there isn’t any technical support available from them but there is a lot of information here and on their website, which I think you’ll be able use to figure out what best to base your thesis on.

If you have more flexibility, I suggest you switch to either the OS offered by OVOS or Neon AI. There are many shared components between the Mycroft, OVOS, and Neon AI operating systems. The latter two are actively maintained, and we’ll appreciate hearing of any vulnerabilities you find.

According to the Dockerfile, the image is build from GitHub - MycroftAI/mycroft-core: Mycroft Core, the Mycroft Artificial Intelligence platform. without any branch or tag so I would say that it’s not for Dinkum.

1 Like

Okay, thank you all for your answers. I will have a deep look at them and also at the links and tools you provided me.


Docker Hub seems to display vulnerabilities as well.

What vulnerabilities does it show? That view doesn’t seem to be public.

I can see it listed as public now, so maybe he changed it?

It seems that this view can be shared but you need to be logged I guess.

Yikes. Well, as alluded but not explicitly stated in chat, I’ve got a busy day of family stuff, and two of my counterparts are vacationing.

I’ll tag @j1nx @NeonDaniel and @builderjer and join the party when I’m able

Somebody might wanna poke Daniel in chat, as I know he checks it much more frequently :man_shrugging:

1 Like