sca-2023-0003
Vulnerability from csaf_sick
Published
2023-05-03 13:00
Modified
2023-05-03 13:00
Summary
Vulnerability in SICK Flexi Soft and Flexi Classic Gateways

Notes

SICK discovered a vulnerability in several Flexi Classic and Flexi Soft Gateways. If exploited, this potentially allows a remote unauthenticated attacker to impact the availabiltiy of the gateways. SICK is not aware of an exploit targeting this vulnerability.
General Security Measures
As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.
Vulnerability Classification
SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.



{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "summary",
        "text": "SICK discovered a vulnerability in several Flexi Classic and Flexi Soft Gateways. If exploited, this potentially allows a remote unauthenticated attacker to impact the availabiltiy of the gateways. \n\nSICK is not aware of an exploit targeting this vulnerability.\n"
      },
      {
        "category": "general",
        "text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
        "title": "General Security Measures"
      },
      {
        "category": "general",
        "text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer\u2019s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
        "title": "Vulnerability Classification"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@sick.de",
      "issuing_authority": "SICK PSIRT is responsible for any vulnerabilities related to SICK products.",
      "name": "SICK PSIRT",
      "namespace": "https://www.sick.com/psirt"
    },
    "references": [
      {
        "summary": "SICK PSIRT Security Advisories",
        "url": "https://www.sick.com/psirt"
      },
      {
        "summary": "SICK Operating Guidelines",
        "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
      },
      {
        "summary": "ICS-CERT recommended practices on Industrial Security",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "summary": "CVSS v3.1 Calculator",
        "url": "https://www.first.org/cvss/calculator/3.1"
      },
      {
        "category": "self",
        "summary": "The canonical URL.",
        "url": "https://www.sick.com/.well-known/csaf/white/2023/sca-2023-0003.json"
      },
      {
        "category": "self",
        "summary": "The canonical PDF URL.",
        "url": "https://www.sick.com/.well-known/csaf/white/2023/sca-2023-0003.pdf"
      }
    ],
    "title": "Vulnerability in SICK Flexi Soft and Flexi Classic Gateways",
    "tracking": {
      "current_release_date": "2023-05-03T13:00:00.000Z",
      "generator": {
        "date": "2023-12-04T10:27:34.168Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.2.16"
        }
      },
      "id": "SCA-2023-0003",
      "initial_release_date": "2023-05-03T13:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-05-03T13:00:00.000Z",
          "number": "1",
          "summary": "Initial Release"
        },
        {
          "date": "2023-12-04T11:00:00.000Z",
          "number": "2",
          "summary": "Added self reference in CSAF"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK UE410-EN3 FLEXI ETHERNET GATEW. all versions",
                  "product_id": "CSAFPID-0001",
                  "product_identification_helper": {
                    "skus": [
                      "1042193"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "UE410-EN3 FLEXI ETHERNET GATEW."
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK UE410-EN1 FLEXI ETHERNET GATEW. all versions",
                  "product_id": "CSAFPID-0002",
                  "product_identification_helper": {
                    "skus": [
                      "1042964"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "UE410-EN1 FLEXI ETHERNET GATEW."
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK UE410-EN4 FLEXI ETHERNET GATEW. all versions",
                  "product_id": "CSAFPID-0003",
                  "product_identification_helper": {
                    "skus": [
                      "1044078"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "UE410-EN4 FLEXI ETHERNET GATEW."
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GENT00000 FLEXISOFT EIP GATEW. all versions",
                  "product_id": "CSAFPID-0004",
                  "product_identification_helper": {
                    "skus": [
                      "1044072"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GENT00000 FLEXISOFT EIP GATEW."
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GMOD00000 FLEXISOFT MOD GATEW. all versions",
                  "product_id": "CSAFPID-0005",
                  "product_identification_helper": {
                    "skus": [
                      "1044073"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GMOD00000 FLEXISOFT MOD GATEW."
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GPNT00000 FLEXISOFT PNET GATEW. all versions",
                  "product_id": "CSAFPID-0006",
                  "product_identification_helper": {
                    "skus": [
                      "1044074"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GPNT00000 FLEXISOFT PNET GATEW."
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GENT00030 FLEXISOFT EIP GATEW.V2 all versions",
                  "product_id": "CSAFPID-0007",
                  "product_identification_helper": {
                    "skus": [
                      "1099830"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GENT00030 FLEXISOFT EIP GATEW.V2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GPNT00030 FLEXISOFT PNET GATEW.V2 all versions",
                  "product_id": "CSAFPID-0008",
                  "product_identification_helper": {
                    "skus": [
                      "1099832"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GPNT00030 FLEXISOFT PNET GATEW.V2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GMOD00010 FLEXISOFT MOD GW (C) all versions",
                  "product_id": "CSAFPID-0009",
                  "product_identification_helper": {
                    "skus": [
                      "1127717"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GMOD00010 FLEXISOFT MOD GW (C)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GENT00010 FLEXISOFT EIP GW (C) all versions",
                  "product_id": "CSAFPID-0010",
                  "product_identification_helper": {
                    "skus": [
                      "1121596"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GENT00010 FLEXISOFT EIP GW (C)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GPNT00010 FLEXISOFT PNET GW (C) all versions",
                  "product_id": "CSAFPID-0011",
                  "product_identification_helper": {
                    "skus": [
                      "1121597"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GPNT00010 FLEXISOFT PNET GW (C)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK UE410-EN3 FLEXI ETHERNET GATEW. Firmware all versions",
                  "product_id": "CSAFPID-0012"
                }
              }
            ],
            "category": "product_name",
            "name": "UE410-EN3 FLEXI ETHERNET GATEW. Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK UE410-EN1 FLEXI ETHERNET GATEW. Firmware all versions",
                  "product_id": "CSAFPID-0013"
                }
              }
            ],
            "category": "product_name",
            "name": "UE410-EN1 FLEXI ETHERNET GATEW. Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK UE410-EN4 FLEXI ETHERNET GATEW. Firmware all versions",
                  "product_id": "CSAFPID-0014"
                }
              }
            ],
            "category": "product_name",
            "name": "UE410-EN4 FLEXI ETHERNET GATEW. Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GENT00000 FLEXISOFT EIP GATEW. Firmware all versions",
                  "product_id": "CSAFPID-0015"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GENT00000 FLEXISOFT EIP GATEW. Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GMOD00000 FLEXISOFT MOD GATEW. Firmware all versions",
                  "product_id": "CSAFPID-0016"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GMOD00000 FLEXISOFT MOD GATEW. Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GPNT00000 FLEXISOFT PNET GATEW. Firmware all versions",
                  "product_id": "CSAFPID-0017"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GPNT00000 FLEXISOFT PNET GATEW. Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GENT00030 FLEXISOFT EIP GATEW.V2 Firmware all versions",
                  "product_id": "CSAFPID-0018"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GENT00030 FLEXISOFT EIP GATEW.V2 Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GPNT00030 FLEXISOFT PNET GATEW.V2 Firmware all versions",
                  "product_id": "CSAFPID-0019"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GPNT00030 FLEXISOFT PNET GATEW.V2 Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GMOD00010 FLEXISOFT MOD GW (C) Firmware all versions",
                  "product_id": "CSAFPID-0020"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GMOD00010 FLEXISOFT MOD GW (C) Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GENT00010 FLEXISOFT EIP GW (C) Firmware all versions",
                  "product_id": "CSAFPID-0021"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GENT00010 FLEXISOFT EIP GW (C) Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SICK FX0-GPNT00010 FLEXISOFT PNET GW (C) Firmware all versions",
                  "product_id": "CSAFPID-0022"
                }
              }
            ],
            "category": "product_name",
            "name": "FX0-GPNT00010 FLEXISOFT PNET GW (C) Firmware"
          }
        ],
        "category": "vendor",
        "name": "SICK AG"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK UE410-EN3 FLEXI ETHERNET GATEW. all Firmware versions",
          "product_id": "CSAFPID-0023"
        },
        "product_reference": "CSAFPID-0012",
        "relates_to_product_reference": "CSAFPID-0001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK UE410-EN1 FLEXI ETHERNET GATEW. all Firmware versions",
          "product_id": "CSAFPID-0024"
        },
        "product_reference": "CSAFPID-0013",
        "relates_to_product_reference": "CSAFPID-0002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK UE410-EN4 FLEXI ETHERNET GATEW. all Firmware versions",
          "product_id": "CSAFPID-0025"
        },
        "product_reference": "CSAFPID-0014",
        "relates_to_product_reference": "CSAFPID-0003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GENT00000 FLEXISOFT EIP GATEW. all Firmware versions",
          "product_id": "CSAFPID-0026"
        },
        "product_reference": "CSAFPID-0015",
        "relates_to_product_reference": "CSAFPID-0004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GMOD00000 FLEXISOFT MOD GATEW. all Firmware versions",
          "product_id": "CSAFPID-0027"
        },
        "product_reference": "CSAFPID-0016",
        "relates_to_product_reference": "CSAFPID-0005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GPNT00000 FLEXISOFT PNET GATEW. all Firmware versions",
          "product_id": "CSAFPID-0028"
        },
        "product_reference": "CSAFPID-0017",
        "relates_to_product_reference": "CSAFPID-0006"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GENT00030 FLEXISOFT EIP GATEW.V2 all Firmware versions",
          "product_id": "CSAFPID-0029"
        },
        "product_reference": "CSAFPID-0018",
        "relates_to_product_reference": "CSAFPID-0007"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GPNT00030 FLEXISOFT PNET GATEW.V2 all Firmware versions",
          "product_id": "CSAFPID-0030"
        },
        "product_reference": "CSAFPID-0019",
        "relates_to_product_reference": "CSAFPID-0008"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GMOD00010 FLEXISOFT MOD GW (C) all Firmware versions",
          "product_id": "CSAFPID-0031"
        },
        "product_reference": "CSAFPID-0020",
        "relates_to_product_reference": "CSAFPID-0009"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GENT00010 FLEXISOFT EIP GW (C) all Firmware versions",
          "product_id": "CSAFPID-0032"
        },
        "product_reference": "CSAFPID-0021",
        "relates_to_product_reference": "CSAFPID-0010"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "SICK FX0-GPNT00010 FLEXISOFT PNET GW (C) all Firmware versions",
          "product_id": "CSAFPID-0033"
        },
        "product_reference": "CSAFPID-0022",
        "relates_to_product_reference": "CSAFPID-0011"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-23444",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "description",
          "text": "Missing Authentication for Critical Function in SICK Flexi Classic and Flexi Soft Gateways with Partnumbers 1042193, 1042964, 1044078, 1044072, 1044073, 1044074, 1099830, 1099832, 1127717, 1121596, 1121597 allows an unauthenticated remote attacker to influence the availability of the device by changing the IP settings of the device via broadcasted UDP packets.",
          "title": "CVE description"
        },
        {
          "category": "summary",
          "text": "An unauthenticated remote attacker can change the IP settings of the SICK Flexi Classic and Flexi Soft Gateways by sending a broadcasted UDP packet and thereby affect the available of the gateways."
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0023",
          "CSAFPID-0024",
          "CSAFPID-0025",
          "CSAFPID-0026",
          "CSAFPID-0027",
          "CSAFPID-0028",
          "CSAFPID-0029",
          "CSAFPID-0030",
          "CSAFPID-0031",
          "CSAFPID-0032",
          "CSAFPID-0033"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that you apply general security practices when operating the Flexi Classic and Flexi Soft Gateways like network segmentation. The following General Security Practices and Operating Guidelines could mitigate the associated security risk.",
          "product_ids": [
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0023",
            "CSAFPID-0024",
            "CSAFPID-0025",
            "CSAFPID-0026",
            "CSAFPID-0027",
            "CSAFPID-0028",
            "CSAFPID-0029",
            "CSAFPID-0030",
            "CSAFPID-0031",
            "CSAFPID-0032",
            "CSAFPID-0033"
          ]
        }
      ],
      "title": "Missing Authentication for Critical Function in SICK Flexi Classic and Flexi Soft Gateways"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.