-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-055 Product: InspectorP61x, InspectorP62x, TiM3xx Manufacturer: SICK AG Affected Version(s): <5.0.0, <5.0.0, <5.10.0 Tested Version(s): N/A, v4.0.0.283, V4.2.1.6197 Vulnerability Type: Hidden Functionality (CWE-912) Reusing a Nonce, Key Pair in Encryption (CWE-323) Risk Level: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Solution Status: Fixed Manufacturer Notification: 2024-07-04 Solution Date: 2024-12-06 Public Disclosure: 2024-12-06 CVE Reference: CVE-2024-10773, CVE-2024-11022 Author of Advisory: Manuel Stotz and Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The SICK AG's InspectorP62x is a camera for industrial use. The manufacturer describes the product as follows (see [1]): "The InspectorP62x is an industrial all-in-one vision sensor that is easy to use, compact and versatile. The integrated system of teach auto focus optics and flexible illumination provides high-quality images right out of the box. The included and pre-installed Quality Inspection toolset of SICK Nova welcomes both expert and non-expert users to configure the sensor in no time using an accessible and intuitive web user interface." Due to hardcoded credentials and a login procedure which allows pass-the- hash techniques, the login with the hidden user level can always be performed. This allows full access to the camera, even if the user has changed all passwords. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The camera has the user levels 1 to 7, with 4 being the "Service" account, which is the highest administrative user a customer can access. The users with levels 5 to 7 are not documented. The password file located in "/home/sick/persist/opdata/password.prm" contains the hashes for all user levels. For the login, two procedures are implemented. First, a legacy procedure, which is used by the CoLa protocols, creates the MD5 hash of the password and then divides the hash into four parts with the same size. These parts are then combined using the XOR operator. The result is a 4-byte hex string, which is then sent to the server for authentication. These four bytes are also stored in the "password.prm" file; therefore, an attacker can use the stored information to log in to the device. The other protocol used, for example by the web application, is a challenge-response procedure. A server generates the nonce, which is then hashed in combination with a hash including the password. This hash with the password is stored in the file "password.prm". Therefore, it can be used to log in. Beyond that, the challenge can be used several times for login, which allows for replay attacks against this login procedure. After extracting the file "password.prm" from one camera, it was possible to log in to other cameras using the captured hash for the hidden user level 7. This was also verified by logging in to a SICK TiM3xx. Thus, it can be assumed that the credentials for the hidden user levels 5 to 7 are hardcoded and identical on all SICK devices. This leads to a full compromise of the affected SICK cameras. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In coordination with the manufacturer, this information will be disclosed at a later date. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Fixed firmware versions were provided by the manufacturer. Customers should update affected devices to the latest firmware version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-07: Vulnerability discovered 2024-07-04: Vulnerability reported to manufacturer 2024-07-09 – 2024-12-02: Consultation and cooperation with the manufacturer 2024-12-06: Patch released by manufacturer 2024-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for InspectorP62x https://www.sick.com/at/en/catalog/produkte/industrielle-bildverarbeitung-und-identifikation/industrielle-bildverarbeitung/inspectorp62x/c/g507066 [2] SySS Security Advisory SYSS-2024-055 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-055.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz and Tobias Jäger of SySS GmbH. E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xE790F68ABCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmdNuGwACgkQ55D2irzm jG2JVg/+OUu3wCA1QZtLUtT9hvo5gvWqWZSQ6hYuT7U1bGgHCbAbsFCzbIiWYI8t 8BhDgeocY50jVO4tdZ8+LfEjHf+CJNm8oFRIKKP8TIKwtYdEMWIpuQuUhvCaOGCJ YV4dSbpgW5pMU+/JftrfO7Bp/hLa7oVjCwXOCpG5Fn03nBYKI13AGfJpPp5Dcr/n 1iDrzpE2LJyENfY6hphHeJGh42rSb5ciSE7MKUB07Ve0M/CNsRLKJwFpvMEV1gUA 8wSrDTRLk1tFq6mBuoHqR2LtaQIbSJPdN4QbhVxOHOF5K9JGOnyzSFj+NsqICUuF /mzhcq9usiFkOE2RG7TZN+/aAWpYUoLNBJFvBqcFvQjQQLakCE31BDXxWx83DbHv I/NVneKtVThbzrKTauduN4jIcVac7pHbati3MAkI7ht2cDfabtdD6asbCDhA8jq2 9stpylZzH8pq3wmZdwVnCmdT/vmJTYuVLl2fEM62+5/JpFy/vMnAGj6NMmBgFQQJ YiZ1ThREoWBvPCY/y4AvRZuF0GFitKUM7yi9U1YbNzJvj+R9pQGb/n0NsSB8mWBq VvlrBXeEan3RQj1aXy5Sd68IDZpUps9OF6XV8L08D8eppsMGvefkkVQjO1TyY6Ni O708gC9UfHG4mCj8EFX/pU90IMlHnLBobsAiZ54cSxxeQuz//OE= =bpaJ -----END PGP SIGNATURE-----