sca-2022-0004
Vulnerability from csaf_sick
Published
2022-04-11 15:00
Modified
2022-03-31 15:00
Summary
Microsoft vulnerability affects multiple SICK IPCs with SICK MEAC
Notes
General Security Measures
As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.
Vulnerability Classification
SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.
The CVE-2021-26414 “Windows DCOM Server Security Feature Bypass” was issued by Microsoft, that may affect the functionality of the SICK MEAC software installed on SICK IPCs.
**Interpretation**: The vulnerability allows a remote attacker to bypass the Windows DCOM Server authentication process.
**Limitation**: The vulnerability can only be exploited if a user operates on a CVE-2021-26414 affected Windows version and tries to access a malicious server, hosted by an attacker. The attacker would have to host a specially crafted server share or website. It is not possible for an attacker to force the user to visit this specially crafted server share or website. Only by convincing them, typically by way of an enticement in an email or chat message, an exploitation is possible.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
"title": "General Security Measures"
},
{
"category": "general",
"text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer\u2019s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
"title": "Vulnerability Classification"
},
{
"category": "summary",
"text": "The CVE-2021-26414 \u201cWindows DCOM Server Security Feature Bypass\u201d was issued by Microsoft, that may affect the functionality of the SICK MEAC software installed on SICK IPCs.\n\n**Interpretation**: The vulnerability allows a remote attacker to bypass the Windows DCOM Server authentication process.\n\n**Limitation**: The vulnerability can only be exploited if a user operates on a CVE-2021-26414 affected Windows version and tries to access a malicious server, hosted by an attacker. The attacker would have to host a specially crafted server share or website. It is not possible for an attacker to force the user to visit this specially crafted server share or website. Only by convincing them, typically by way of an enticement in an email or chat message, an exploitation is possible."
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@sick.de",
"issuing_authority": "SICK PSIRT is responsible for any vulnerabilities related to SICK products.",
"name": "SICK PSIRT",
"namespace": "https://sick.com/psirt"
},
"references": [
{
"summary": "SICK PSIRT Security Advisories",
"url": "https://sick.com/psirt"
},
{
"summary": "SICK Operating Guidelines",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"summary": "ICS-CERT recommended practices on Industrial Security",
"url": "http://ics-cert.us-cert.gov/content/recommended-practices"
},
{
"summary": "CVSS v3.1 Calculator",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"category": "self",
"summary": "The canonical URL.",
"url": "https://www.sick.com/.well-known/csaf/white/2022/sca-2022-0004.json"
}
],
"title": "Microsoft vulnerability affects multiple SICK IPCs with SICK MEAC",
"tracking": {
"current_release_date": "2022-03-31T15:00:00.000Z",
"generator": {
"date": "2023-02-10T08:48:28.899Z",
"engine": {
"name": "Secvisogram",
"version": "2.0.0"
}
},
"id": "SCA-2022-0004",
"initial_release_date": "2022-04-11T15:00:00.000Z",
"revision_history": [
{
"date": "2022-04-11T15:00:00.000Z",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2023-02-10T11:00:00.000Z",
"number": "2",
"summary": "Updated Advisory (only visual changes)"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK MEAC vers:all/*",
"product_id": "CSAFPID-0001",
"product_identification_helper": {
"skus": [
"1614631",
"1614636"
]
}
}
}
],
"category": "product_name",
"name": "MEAC"
}
],
"category": "vendor",
"name": "SICK AG"
}
],
"full_product_names": [
{
"name": "Windows 7 (for 32-bit Systems Service Pack 1, for x64-based Systems Service Pack 1)",
"product_id": "CSAFPID-0002"
},
{
"name": "Windows 8.1 (for 32-bit systems, for x64-based systems)",
"product_id": "CSAFPID-0003"
},
{
"name": "Windows 10 (20H2, 21H1, 1607, 1809, 1909, 2004 for 32-bit Systems, ARM64-based Systems, x64-based Systems)",
"product_id": "CSAFPID-0004"
},
{
"name": "Windows RT 8.1",
"product_id": "CSAFPID-0005"
},
{
"name": "Windows Server 2008 (R2 for x64-based Systems Service Pack 1, R2 for x64-based Systems Service Pack 1,(Server Core installation), for 32-bit Systems Service Pack 2, for 32-bit Systems Service Pack 2 (Server Core installation), for x64-based Systems Service Pack 2, for x64-based Systems Service Pack 2 (Server Core installation))",
"product_id": "CSAFPID-0006"
},
{
"name": "Windows Server 2012 ((GUI), (Server Core installation), R2, R2 (Server Core installation))",
"product_id": "CSAFPID-0007"
},
{
"name": "Windows Server 2016 ((GUI), (Server Core installation))",
"product_id": "CSAFPID-0008"
},
{
"name": "Windows Server 2019 ((GUI), (Server Core installation))",
"product_id": "CSAFPID-0009"
},
{
"name": "Windows Server 20H2 (Server Core Installation)",
"product_id": "CSAFPID-0010"
},
{
"name": "Windows Server 2004 (Server Core installation)",
"product_id": "CSAFPID-0011"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows 7 (for 32-bit Systems Service Pack 1, for x64-based Systems Service Pack 1)",
"product_id": "CSAFPID-0012"
},
"product_reference": "CSAFPID-0002",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows 8.1 (for 32-bit systems, for x64-based systems)",
"product_id": "CSAFPID-0013"
},
"product_reference": "CSAFPID-0003",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows 10 (20H2, 21H1, 1607, 1809, 1909, 2004 for 32-bit Systems, ARM64-based Systems, x64-based Systems)",
"product_id": "CSAFPID-0014"
},
"product_reference": "CSAFPID-0004",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows RT 8.1",
"product_id": "CSAFPID-0015"
},
"product_reference": "CSAFPID-0005",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows Server 2008 (R2 for x64-based Systems Service Pack 1, R2 for x64-based Systems Service Pack 1,(Server Core installation), for 32-bit Systems Service Pack 2, for 32-bit Systems Service Pack 2 (Server Core installation), for x64-based Systems Service Pack 2, for x64-based Systems Service Pack 2 (Server Core installation))",
"product_id": "CSAFPID-0016"
},
"product_reference": "CSAFPID-0006",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows Server 2012 ((GUI), (Server Core installation), R2, R2 (Server Core installation))",
"product_id": "CSAFPID-0017"
},
"product_reference": "CSAFPID-0007",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows Server 2016 ((GUI), (Server Core installation))",
"product_id": "CSAFPID-0018"
},
"product_reference": "CSAFPID-0008",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows Server 2019 ((GUI), (Server Core installation))",
"product_id": "CSAFPID-0019"
},
"product_reference": "CSAFPID-0009",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows Server 20H2 (Server Core Installation)",
"product_id": "CSAFPID-0020"
},
"product_reference": "CSAFPID-0010",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK MEAC with Windows Server 2004 (Server Core installation)",
"product_id": "CSAFPID-0021"
},
"product_reference": "CSAFPID-0011",
"relates_to_product_reference": "CSAFPID-0001"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-26414",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"notes": [
{
"category": "summary",
"text": "The CVE-2021-26414 \u201cWindows DCOM Server Security Feature Bypass\u201d was issued by Microsoft, that may affect the functionality of the SICK MEAC software installed on SICK IPCs. \nInterpretation: The vulnerability allows a remote attacker to bypass the Windows DCOM Server authentication process.\nLimitation: The vulnerability can only be exploited if a user operates on a CVE-2021-26414 affected Windows version and tries to access a malicious server, hosted by an attacker. The attacker would have to host a specially crafted server share or website. It is not possible for an attacker to force the user to visit this specially crafted server share or website. Only by convincing them, typically by way of an enticement in an email or chat message, an exploitation is possible. ",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016",
"CSAFPID-0017",
"CSAFPID-0018",
"CSAFPID-0019",
"CSAFPID-0020",
"CSAFPID-0021"
]
},
"references": [
{
"summary": "Microsoft, CVE-2021-26414 \u201cWindows DCOM Server Security Feature Bypass\u201d",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414"
},
{
"summary": "Bypass of the Windows DCOM Server authentication process by CVE-2021-2614",
"url": "https://www.cybersecurity-help.cz/vdb/SB2021060835"
},
{
"summary": "Track DCOM error events",
"url": "https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-08T10:00:00.000Z",
"details": "Microsoft is addressing this vulnerability in a phased rollout of Windows security updates. Under the current schedule, the hardening changes can be disabled until March 14, 2023:\n\n - June 8, 2021: Hardening changes **disabled by default** but with the ability to enable them using a registry key.\n\n - June 14, 2022: Hardening changes **enabled by default** but with the ability to disable them using a registry key.\n\n - March 14, 2023: Hardening changes **enabled** by default **with no ability to disable them**. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.\n \nPrior to the March 2023 release, the hardening change will be disabled if the registry key HKEY_LOCAL_MACHINE \\\\ SOFTWARE \\\\ Microsoft \\\\ Ole \\\\ AppCompat \\\\ RequireIntegrityActivationAuthenticationLevel is undefined or 0, and enabled, if set to 1. A reboot is required after making any changes to the registry key.\n\n**Recommended measures:** Given the moderate risk (a user having to deliberately access a malicious server), SICK recommends deactivating the hardening by using the above registry key, until it has been confirmed that the hardening does not adversely affect the MEAC functionality. SICK will then inform customers in an updated version of this security advisory. \n\nIn a subset of Windows versions with release dates newer than between August 2021 and October 2021, depending on the Windows version, customers can identify vulnerable installations by checking the Windows event log for messages.",
"product_ids": [
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016",
"CSAFPID-0017",
"CSAFPID-0018",
"CSAFPID-0019",
"CSAFPID-0020",
"CSAFPID-0021"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016",
"CSAFPID-0017",
"CSAFPID-0018",
"CSAFPID-0019",
"CSAFPID-0020",
"CSAFPID-0021"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.