sick sim2000_firmware 关键功能的认证机制缺失

CVE编号

CVE-2022-27582

利用情况

暂无

补丁情况

N/A

披露时间

2022-11-02

漏洞描述

Password recovery vulnerability in SICK SICK SIM4000 (PPC) Partnumber 1078787 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to a increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. Please make sure that you apply general security practices when operating the SIM4000. The following general security practices could mitigate the associated security risk. A fix is planned but not yet scheduled.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://sick.com/psirt

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	系统	sick	sim1000_fx_firmware	*		Up to (excluding) 1.6.0
	运行在以下环境
	系统	sick	sim1004_firmware	*		Up to (excluding) 2.0.0
	运行在以下环境
	系统	sick	sim1012_firmware	*		Up to (excluding) 2.2.0
	运行在以下环境
	系统	sick	sim2000st_firmware	*		Up to (excluding) 1.2.0
	运行在以下环境
	系统	sick	sim2000_firmware	*		Up to (excluding) 1.2.0
	运行在以下环境
	系统	sick	sim2500_firmware	*		Up to (excluding) 1.2.0
	运行在以下环境
	系统	sick	sim4000_firmware	*	-
	运行在以下环境
	硬件	sick	sim1000_fx	-	-
	运行在以下环境
	硬件	sick	sim1004	-	-
	运行在以下环境
	硬件	sick	sim1012	-	-
	运行在以下环境
	硬件	sick	sim2000	-	-
	运行在以下环境
	硬件	sick	sim2000st	-	-
	运行在以下环境
	硬件	sick	sim2500	-	-
	运行在以下环境
	硬件	sick	sim4000	-	-

CVSS3评分 9.8

• 攻击路径 网络
• 攻击复杂度 低
• 权限要求 无
• 影响范围 未更改
• 用户交互 无
• 可用性 高
• 保密性 高
• 完整性 高

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-ID	漏洞类型
CWE-306	关键功能的认证机制缺失

Exp相关链接

- avd.aliyun.com