sca-2019-0002
Vulnerability from csaf_sick
Published
2019-09-20 10:00
Modified
2019-09-20 10:00
Summary
Vulnerability in SICK FX0-GENT00000 and SICK FX0-GPNT00000
Notes
The security-testlab team of Fraunhofer IOSB in Karlsruhe reported a security vulnerability that affects SICK FX0-GPNT00000 and SICK FX0-GENT00000 in the version V3.04.0. The SICK FX0-GPNT00000 and SICK FX0-GENT00000 are vulnerable to a buffer overflow by exploiting the available resources with UDP packets, causing the Flexi Soft System to switch to safety state. Currently SICK is not aware of any public exploits specifically targeting this vulnerability.
SICK has released a new firmware version for the SICK FX0-GPNT00000 and SICK FX0-GENT00000 and
recommends using the new version.
General Security Measures
As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.
Vulnerability Classification
SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.
{
"document": {
"acknowledgments": [
{
"organization": "The security-testlab team of Fraunhofer IOSB in Karlsruhe",
"summary": "reporting this vulnerability to SICK"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "The security-testlab team of Fraunhofer IOSB in Karlsruhe reported a security vulnerability that affects SICK FX0-GPNT00000 and SICK FX0-GENT00000 in the version V3.04.0. The SICK FX0-GPNT00000 and SICK FX0-GENT00000 are vulnerable to a buffer overflow by exploiting the available resources with UDP packets, causing the Flexi Soft System to switch to safety state. Currently SICK is not aware of any public exploits specifically targeting this vulnerability.\n\nSICK has released a new firmware version for the SICK FX0-GPNT00000 and SICK FX0-GENT00000 and\nrecommends using the new version."
},
{
"category": "general",
"text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
"title": "General Security Measures"
},
{
"category": "general",
"text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer\u2019s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
"title": "Vulnerability Classification"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@sick.de",
"issuing_authority": "SICK PSIRT is responsible for any vulnerabilities related to SICK products.",
"name": "SICK PSIRT",
"namespace": "https://sick.com/psirt"
},
"references": [
{
"summary": "SICK PSIRT Security Advisories",
"url": "https://sick.com/psirt"
},
{
"summary": "SICK Operating Guidelines",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"summary": "ICS-CERT recommended practices on Industrial Security",
"url": "http://ics-cert.us-cert.gov/content/recommended-practices"
},
{
"summary": "CVSS v3.1 Calculator",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"category": "self",
"summary": "The canonical URL.",
"url": "https://www.sick.com/.well-known/csaf/white/2019/sca-2019-0002.json"
}
],
"title": "Vulnerability in SICK FX0-GENT00000 and SICK FX0-GPNT00000",
"tracking": {
"current_release_date": "2019-09-20T10:00:00.000Z",
"generator": {
"date": "2023-02-09T14:15:58.516Z",
"engine": {
"name": "Secvisogram",
"version": "2.0.0"
}
},
"id": "SCA-2019-0002",
"initial_release_date": "2019-09-20T10:00:00.000Z",
"revision_history": [
{
"date": "2019-09-20T10:00:00.000Z",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2023-02-09T11:00:00.000Z",
"number": "2",
"summary": "Updated Advisory (only visual changes)"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK SICK FX0-GENT00000 all versions",
"product_id": "CSAFPID-0001",
"product_identification_helper": {
"skus": [
"1044072"
],
"x_generic_uris": [
{
"namespace": "SICK:Website",
"uri": "SICK:Website:https://www.sick.com/de/de/p/p80485"
}
]
}
}
}
],
"category": "product_name",
"name": "FX0-GENT00000"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK FX0-GPNT00000 all versions",
"product_id": "CSAFPID-0002",
"product_identification_helper": {
"skus": [
"1044074"
],
"x_generic_uris": [
{
"namespace": "SICK:Website",
"uri": "SICK:Website:https://www.sick.com/de/de/p/p80487"
}
]
}
}
}
],
"category": "product_name",
"name": "FX0-GPNT00000"
}
],
"category": "product_family",
"name": "SICK FX0"
},
{
"branches": [
{
"category": "product_version",
"name": "3.04.0",
"product": {
"name": "SICK FX0-GENT00000 Firmware 3.04.0",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version",
"name": "3.05.0",
"product": {
"name": "SICK FX0-GENT00000 Firmware 3.05.0",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "FX0-GENT00000 Firmware"
},
{
"branches": [
{
"category": "product_version",
"name": "3.04.0",
"product": {
"name": "SICK FX0-GPNT00000 Firmware 3.04.0",
"product_id": "CSAFPID-0005"
}
},
{
"category": "product_version",
"name": "3.05.0",
"product": {
"name": "SICK FX0-GPNT00000 Firmware 3.05.0",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "FX0-GPNT00000 Firmware"
}
],
"category": "vendor",
"name": "SICK AG"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FX0-GENT00000 with Firmware 3.04.0",
"product_id": "CSAFPID-0007"
},
"product_reference": "CSAFPID-0003",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FX0-GPNT00000 with Firmware 3.04.0",
"product_id": "CSAFPID-0008"
},
"product_reference": "CSAFPID-0005",
"relates_to_product_reference": "CSAFPID-0002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FX0-GENT00000 with Firmware 3.05.0",
"product_id": "CSAFPID-0009"
},
"product_reference": "CSAFPID-0004",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK FX0-GPNT00000 with Firmware 3.05.0",
"product_id": "CSAFPID-0010"
},
"product_reference": "CSAFPID-0006",
"relates_to_product_reference": "CSAFPID-0002"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14753",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The SICK FX0-GPNT00000 and SICK FX0-GENT00000 are vulnerable to a buffer overflow by exploiting the available resources with UDP packets, causing the Flexi Soft System to switch to safety state.",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0009",
"CSAFPID-0010"
],
"known_affected": [
"CSAFPID-0007",
"CSAFPID-0008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "SICK has released a new firmware version for the FX0 GPNT00000 and SICK FX0-GENT00000 and recommends using the new version V3.05.0.",
"product_ids": [
"CSAFPID-0007",
"CSAFPID-0008"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "HIGH",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:U/RC:C/CR:H",
"version": "3.1"
},
"products": [
"CSAFPID-0007",
"CSAFPID-0008"
]
}
],
"threats": [
{
"category": "exploit_status",
"details": "Currently SICK is not aware of any public exploits specifically targeting this vulnerability.",
"product_ids": [
"CSAFPID-0007",
"CSAFPID-0008"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.