SCA-2022-0014
Vulnerability from csaf_sick - Published: 2022-10-31 11:00 - Updated: 2022-10-31 11:00Summary
SICK FlexiCompact affected by Denial of Service vulnerability
Notes
SICK discovered a vulnerability in the configuration interface of FlexiCompact that can be accessed via Ethernet or USB. If exploited, this potentially allows a remote unauthenticated attacker to impact availabiltiy of the FlexiCompact. SICK recommends making sure to run a non-affected version. SICK is not aware of an exploit targeting this vulnerability.
General Security Measures: As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.
Vulnerability Classification: SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.
A remote unprivileged attacker can interact with the configuration interface of a FlexiCompact FLX3-CPUC1 or FLX3-CPUC2 running an affected firmware version to potentially impact the availability of the FlexiCompact.
5.9 (Medium)
Vendor Fix
Make sure to use a non-affected firmware version of the FlexiCompact (>= V1.10.0). If this is not possible make sure to follow the recommendations in the general practices section.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "SICK discovered a vulnerability in the configuration interface of FlexiCompact that can be accessed via Ethernet or USB. If exploited, this potentially allows a remote unauthenticated attacker to impact availabiltiy of the FlexiCompact. SICK recommends making sure to run a non-affected version. SICK is not aware of an exploit targeting this vulnerability."
},
{
"category": "general",
"text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
"title": "General Security Measures"
},
{
"category": "general",
"text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer\u2019s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
"title": "Vulnerability Classification"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@sick.de",
"issuing_authority": "SICK PSIRT is responsible for any vulnerabilities related to SICK products.",
"name": "SICK PSIRT",
"namespace": "https://www.sick.com/psirt"
},
"references": [
{
"summary": "SICK PSIRT Security Advisories",
"url": "https://sick.com/psirt"
},
{
"summary": "SICK Operating Guidelines",
"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
},
{
"summary": "ICS-CERT recommended practices on Industrial Security",
"url": "http://ics-cert.us-cert.gov/content/recommended-practices"
},
{
"summary": "CVSS v3.1 Calculator",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"category": "self",
"summary": "The canonical URL.",
"url": "https://www.sick.com/.well-known/csaf/white/2022/sca-2022-0014.json"
}
],
"title": "SICK FlexiCompact affected by Denial of Service vulnerability",
"tracking": {
"current_release_date": "2022-10-31T11:00:00.000Z",
"generator": {
"date": "2023-02-10T10:20:24.501Z",
"engine": {
"name": "Secvisogram",
"version": "2.0.0"
}
},
"id": "SCA-2022-0014",
"initial_release_date": "2022-10-31T11:00:00.000Z",
"revision_history": [
{
"date": "2022-10-31T11:00:00.000Z",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2023-02-10T11:00:00.000Z",
"number": "2",
"summary": "Updated Advisory (only visual changes)"
},
{
"date": "2025-07-30T07:29:45.000Z",
"number": "3",
"summary": "Updated Advisory: URL for SICK Operating Guidelines has been updated"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK FLX3-CPUC1 all versions",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "FLX3-CPUC1"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK FLX3-CPUC2 all versions",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "FLX3-CPUC2"
}
],
"category": "product_family",
"name": "FlexiCompact"
},
{
"branches": [
{
"category": "product_version",
"name": "1.02.0",
"product": {
"name": "SICK FLX3-CPUC1 Firmware 1.02.0",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version",
"name": "1.03.0",
"product": {
"name": "SICK FLX3-CPUC1 Firmware 1.03.0",
"product_id": "CSAFPID-0004"
}
},
{
"category": "product_version",
"name": "1.10.0",
"product": {
"name": "SICK FLX3-CPUC1 Firmware 1.10.0",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "FLX3-CPUC1 Firmware"
},
{
"branches": [
{
"category": "product_version",
"name": "1.02.0",
"product": {
"name": "SICK FLX3-CPUC2 Firmware 1.02.0",
"product_id": "CSAFPID-0006"
}
},
{
"category": "product_version",
"name": "1.03.0",
"product": {
"name": "SICK FLX3-CPUC2 Firmware 1.03.0",
"product_id": "CSAFPID-0007"
}
},
{
"category": "product_version",
"name": "1.10.0",
"product": {
"name": "SICK FLX3-CPUC2 Firmware 1.10.0",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "FLX3-CPUC2 Firmware"
}
],
"category": "vendor",
"name": "SICK AG"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FLX3-CPUC1 with Firmware 1.02.0",
"product_id": "CSAFPID-0009"
},
"product_reference": "CSAFPID-0003",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FLX3-CPUC1 with Firmware 1.03.0",
"product_id": "CSAFPID-0010"
},
"product_reference": "CSAFPID-0004",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FLX3-CPUC2 with Firmware 1.02.0",
"product_id": "CSAFPID-0011"
},
"product_reference": "CSAFPID-0006",
"relates_to_product_reference": "CSAFPID-0002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FLX3-CPUC2 with Firmware 1.03.0",
"product_id": "CSAFPID-0012"
},
"product_reference": "CSAFPID-0007",
"relates_to_product_reference": "CSAFPID-0002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FLX3-CPUC1 with Firmware 1.10.0",
"product_id": "CSAFPID-0013"
},
"product_reference": "CSAFPID-0005",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FLX3-CPUC2 with Firmware 1.10.0",
"product_id": "CSAFPID-0014"
},
"product_reference": "CSAFPID-0008",
"relates_to_product_reference": "CSAFPID-0002"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-27583",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A remote unprivileged attacker can interact with the configuration interface of a FlexiCompact FLX3-CPUC1 or FLX3-CPUC2 running an affected firmware version to potentially impact the availability of the FlexiCompact.",
"title": "Description"
},
{
"category": "general",
"text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.\n\nAdditional information on Industrial Security can be found at: \n\nhttp://ics-cert.us-cert.gov/content/recommended-practices",
"title": "General Security Measures"
}
],
"product_status": {
"fixed": [
"CSAFPID-0013",
"CSAFPID-0014"
],
"known_affected": [
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-31T10:00:00.000Z",
"details": "Make sure to use a non-affected firmware version of the FlexiCompact (\u003e= V1.10.0). If this is not possible make sure to follow the recommendations in the general practices section.",
"product_ids": [
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…