-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-054 Product: InspectorP61x, InspectorP62x Manufacturer: SICK AG Affected Version(s): <5.0.0, <5.0.0 Tested Version(s): N/A, v4.0.0.283 Vulnerability Type: Reliance on Obfuscation or Encryption of Security- Relevant Inputs without Integrity Checking (CWE-649) Risk Level: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Solution Status: Fixed Manufacturer Notification: 2024-07-04 Solution Date: 2024-12-06 Public Disclosure: 2024-12-06 CVE Reference: CVE-2024-10772 Author of Advisory: Manuel Stotz and Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The SICK AG's InspectorP62x is a camera for industrial use. The manufacturer describes the product as follows (see [1]): "The InspectorP62x is an industrial all-in-one vision sensor that is easy to use, compact and versatile. The integrated system of teach auto focus optics and flexible illumination provides high-quality images right out of the box. The included and pre-installed Quality Inspection toolset of SICK Nova welcomes both expert and non-expert users to configure the sensor in no time using an accessible and intuitive web user interface." Due to missing validation of the firmware update, modified firmware can be installed on the device. This leads to a full compromise of the camera. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A firmware update consists of many different packages and a description file. The description file is encrypted and contains information about every package and an MD5 hash over the first 1024 bytes of the package. The encryption key is hardcoded into the SICK AppManager and can be extracted. Therefore, the description file can be decrypted, modified and encrypted again. The hashes stored in the description files are checked by the SICK AppManager, but not by the device. The first four bytes of each package file are a CRC32 checksum calculated over the entire package file. This leads to four different ways to install a modified firmware image: 1. After the update package file has been modified, the CRC32 and then the MD5 hash of the file need to be recalculated. The hash then has to be updated in the package file name and in the decrypted encryption file. 2. Since the hashes are only verified in the SICK AppManager, the software can be patched or debugged to remove the check. This is possible since the AppManager is running on an attacker-controlled computer. 3. The firmware update package can be installed by communicating directly with the CoLA interface of the camera. 4. The update package can be modified after the first 1024 bytes. In this case, the MD5 hash does not change and the modification is not detected by the client. Since CRC32 is a simple checksum and not a secure cryptographic hash, a collision can be found easily. This means that a string can be detected which can be added to the end of the package file, after which the CRC32 of the entire file is identical with the CRC32 of the unmodified file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In coordination with the manufacturer, this information will be disclosed at a later date. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Fixed firmware versions were provided by the manufacturer. Customers should update affected devices to the latest firmware version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-07: Vulnerability discovered 2024-07-04: Vulnerability reported to manufacturer 2024-07-09 – 2024-12-02: Consultation and cooperation with the manufacturer 2024-12-06: Patch released by manufacturer 2024-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for InspectorP62x https://www.sick.com/at/en/catalog/produkte/industrielle-bildverarbeitung-und-identifikation/industrielle-bildverarbeitung/inspectorp62x/c/g507066 [2] SySS Security Advisory SYSS-2024-054 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-054.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz and Tobias Jäger of SySS GmbH. E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xE790F68ABCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmdNuGQACgkQ55D2irzm jG3VUQ/+OsCSdQ/vNvAreYoNxeeMNU4BFVPChx/RSnS5wpumlLBKABcjY1uybcFq tWjMu1i/x91ico1DBMqltOBsLXrhuUTbIgLWjYwBhRvlIrszoBDIrjL2g0lhHwU9 uobVX0rjEl4FMuVewf+dYmna/98mkHvsJ05Z1Jwn86Rqy1Re8w6DfJfa1O3htXYn b+vkyMlZvL+m5t88sWjDldx9HwM/wg8tcdQ548aY/5BmVip+8ORV9to7CgkgUZkB Ew4RRFSwpySrZumTlDt3OYUVAuHnDaQ29QVVQ0jlTkgTQpSYWOrSk4uCsHp3TMQA 11z5Pzw/uKdtT0Q2nTqJq3Np9PE+DOVYOSuwYfgh8nSIDFrZAo7MonJuvcks7QT8 iJs3WIHUp+Oetmk+uG8s5Tjvz8e3AN1z8vdWa+1UlH6rqv6crGjkM58A0NhonYb4 v+KRKyL8JHt8xqtcKAb5mM+BNokiCIweVjfBNTykEB7DQCzhWKFyn62gIdYs9OIa N1xvyZRHgNSSmYl9PHiLiMuVNnoS1BD/2aRYOsQX81B3DqEYJWm6bEltrOwomB9p +uYS4zUsEAz6Piz7+cmMHmoegnkymGqU23suNAtu7dZZpPFb+YQnDRI/W4W3YbLj hZ2k7hSGz+fL+xpgHldDOBA7UdviAKbduLNqajA4VG5bv4+f7mY= =u5nC -----END PGP SIGNATURE-----