-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-056 Product: InspectorP61x, InspectorP62x Manufacturer: SICK AG Affected Version(s): <5.0.0, <5.0.0 Tested Version(s): N/A, v4.0.0.283 Vulnerability Type: Missing Authentication for Critical Function (CWE-306) Risk Level: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Solution Status: Fixed Manufacturer Notification: 2024-07-04 Solution Date: 2024-12-06 Public Disclosure: 2024-12-06 CVE Reference: CVE-2024-10774, CVE-2024-10776 Author of Advisory: Manuel Stotz and Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The SICK AG's InspectorP62x is a camera for industrial use. The manufacturer describes the product as follows (see [1]): "The InspectorP62x is an industrial all-in-one vision sensor that is easy to use, compact and versatile. The integrated system of teach auto focus optics and flexible illumination provides high-quality images right out of the box. The included and pre-installed Quality Inspection toolset of SICK Nova welcomes both expert and non-expert users to configure the sensor in no time using an accessible and intuitive web user interface." Due to a missing authentication concept, large parts of the web application can be accessed without authentication. In addition, Lua apps can be deployed, removed, started, reloaded, or stopped without authorization via AppManager. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The camera offers a web application on port 80/TCP. The web application offers a login which enables access to further functions depending on the user level. The web application sets a session cookie; however, the cookie is not used. Except for the password change function, all other functions offered by the web application can be accessed without any form of authentication. This includes the configuration of the device, access to functions provided by customer apps as well as the upload and download of files. In addition, Lua apps can be deployed, removed, started, reloaded, or stopped without authorization via AppManager. This allows an attacker, for example, to perform a denial-of-service (DoS) attack, reading and writing files, or loading foreign apps. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In coordination with the manufacturer, this information will be disclosed at a later date. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Fixed firmware versions were provided by the manufacturer. Customers should update affected devices to the latest firmware version. The app development should be conducted in a trusted environment and after that, app management should be disabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-07: Vulnerability discovered 2024-07-04: Vulnerability reported to manufacturer 2024-07-09 – 2024-12-02: Consultation and cooperation with the manufacturer 2024-12-06: Patch released by manufacturer 2024-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for InspectorP62x https://www.sick.com/at/en/catalog/produkte/industrielle-bildverarbeitung-und-identifikation/industrielle-bildverarbeitung/inspectorp62x/c/g507066 [2] SySS Security Advisory SYSS-2024-056 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-056.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz and Tobias Jäger of SySS GmbH. E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xE790F68ABCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmdNuHMACgkQ55D2irzm jG3BQhAAl4Zx6cPI0NwwVKqyetH8G6YcBSH4Fg4StcJzz2CTKwtui4p3zTPBJgGr K3SrAen2YwzI3QYmGd1MVHbo5yNs452TfhcUMruDWiiYs+X7nPxUTi06GkNGtOC4 GmM4ETAw0UkHA4zbuwVbioalE5PPb/vYRhijH4surPDgJDf13Dfamcg9XBDVtuQQ eVyLu8tdl2JQHhq0lojJTjHnJHmNDj+Gqv7hSoA0LaCMu1uE/aGz39E5a6A4Zq/r RLELBVU4hYGSqhKxMTzeFpgdkgVKrdktTYdggmIIBFZqFxoHKka9YeCAVLYRqgFs oKBaVspGC8qzCK4haiB6kuHhKXP6K454tWsorZRHrvlY5/GTGZ3QL/+/7kD6tTNr 7tMwbrLOLxN3nkDX1XzCKTeD0jyeCe47SNwjS3JgSVX3G9Guc4O9/7qCIrsAgjkC EPRcwk0n6fvkuflS69IrJpUEZz6QxwPxSh69ujusJYot9KEYoXW4K/Tn5n/+FSdn S/S/qVLTmDErGlz07IERt4thaM939CnXHOj1Ckg0stEx5xSnzjMmgKpZxvKc/kex 6CHRlA+BnXUNXEIGTcXbxFTu9Qi2Sis06IUsUf06BsiKCT29U4hjN6UvLeqwoZjU YPgrs0g5YbgxXpsVvQ6qk0tKqBoIWMhZ7u1HfNs9mEkJsQ7Xr1U= =R0dl -----END PGP SIGNATURE-----