-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-053 Product: InspectorP61x, InspectorP62x, TiM3xx Manufacturer: SICK AG Affected Version(s): <5.0.0, <5.0.0, <5.10.0 Tested Version(s): N/A, v4.0.0.283, V4.2.1.6197 Vulnerability Type: Improper Control of Generation of Code ('Code Injection') (CWE-94) Risk Level: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Solution Status: Fixed Manufacturer Notification: 2024-07-04 Solution Date: 2024-12-06 Public Disclosure: 2024-12-06 CVE Reference: CVE-2024-10771 Author of Advisory: Manuel Stotz and Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The SICK AG's InspectorP62x is a camera for industrial use. The manufacturer describes the product as follows (see [1]): "The InspectorP62x is an industrial all-in-one vision sensor that is easy to use, compact and versatile. The integrated system of teach auto focus optics and flexible illumination provides high-quality images right out of the box. The included and pre-installed Quality Inspection toolset of SICK Nova welcomes both expert and non-expert users to configure the sensor in no time using an accessible and intuitive web user interface." Due to missing input validation, the InspectorP62x is vulnerable to a remote code execution attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The software SICK AppManager (see [4]) can be used to install firmware updates on the camera. For the communication between the AppManager and the camera, the CoLa A/B protocols are used, which are offered on ports 2111/TCP and 2122/TCP. During one step of the firmware update procedure, arbitrary system commands can be executed on the camera. This is possible since the camera does not validate the user input. To trigger the exploit, the attacker requires network access and needs to be authenticated with the user level "Service" (user level 4). Since the commands are executed in the root user's context, the camera is fully compromised. This can, for example, lead to the extraction of the source code of the developed apps or the manipulation of image data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In coordination with the manufacturer, this information will be disclosed at a later date. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: For the InspectorP61x and InspectorP62x, fixed firmware versions were provided by the manufacturer. For the TiM3xx, SICK recommends updating the firmware only in a trusted environment (workaround). Customers should update affected devices to the latest firmware version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-07: Vulnerability discovered 2024-07-04: Vulnerability reported to manufacturer 2024-07-09 – 2024-12-02: Consultation and cooperation with the manufacturer 2024-12-06: Patch released by manufacturer 2024-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for InspectorP62x https://www.sick.com/at/en/catalog/produkte/industrielle-bildverarbeitung-und-identifikation/industrielle-bildverarbeitung/inspectorp62x/c/g507066 [2] SySS Security Advisory SYSS-2024-053 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-053.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] SICK AppManager https://www.sick.com/de/en/catalog/digital-services-and-solutions/engineering-tools/sick-appmanager/c/g446551 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz and Tobias Jäger of SySS GmbH. E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xE790F68ABCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmdNuFgACgkQ55D2irzm jG3PuQ//cLfUFyyO1u+pg9t1kUZzzoVBjJGtVcQKFsO5l1lvJIrzQDLzWRECNRlO GkyVkrPjIshVNUaI9H44uC6IjOieP6r3rzdcKGchDqPcsoozNXaFZ8kGCgKstEgr MMj4WtFyttYnI0cGjX+4wMS8YXDNAAvvKFyZcBmr//CLdOVb35helzQbcneWfSGp W43x/Xakqpf5gMpsBa09XcZbJKviiIYFDidMmcCKFJkFDCK1HMlqds4sGKPXhGYK RUD0psh+DUpSTQY4Pss08bzQ2hpAk95rDH4455ge8wP6AFBybhGhyGn5sIeeAEd2 gEgVvnX6r9eVJm/ohxSYO1sin/wklGBsqrUUwKDzbN9GkjVZ8zlGCfnNOGK4Tpr9 y9e/n6D7yKHxv1ESFbfJ+8RlA0/3J8ZSI4JJO2Eq1PuAlC06e1o9nUydF6wFbwDJ aa0jnxweTmudLq1+lNtGQxKGP3WkyJg5Y/RHC+pdvGRV6hhkdN+E2a9kIEw8lnzC ZTNiHSAH6f0U75BKDqBXKgGUAsPVDKpc0J9Mmozjozy2GsPfWb7WbxVCFkih3Uwg hqzLVp/257O9DXwUeZVkc4AYIyvvqeD3VZC3hyBLVkKw5yyr+am0AQ4hvi30pWfk kJW5ap+iFOi7Gjb1GfHseL/hidBl68I1ElCRwp3sSytiukQdXg8= =i1ZQ -----END PGP SIGNATURE-----