Missing Authentication for Critical Function in SICK Flexi Classic and Flexi Soft Gateways
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-23444 |
| CWE-ID | CWE-306 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SICK FX0-GENT00000 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GENT00010 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GENT00030 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GMOD00000 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GMOD00010 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GPNT00000 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GPNT00010 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK FX0-GPNT00030 Hardware solutions / Routers & switches, VoIP, GSM, etc SICK UE410-EN1 FLEXI Hardware solutions / Routers & switches, VoIP, GSM, etc SICK UE410-EN3 FLEXI Hardware solutions / Routers & switches, VoIP, GSM, etc SICK UE410-EN4 FLEXI Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Sick AG |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Missing Authentication for Critical Function
EUVDB-ID: #VU77926
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-23444
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to missing authentication for critical function. A remote attacker can send a broadcasted UDP packet and change the IP settings of the affected device.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSICK FX0-GENT00000: All versions
SICK FX0-GENT00010: All versions
SICK FX0-GENT00030: All versions
SICK FX0-GMOD00000: All versions
SICK FX0-GMOD00010: All versions
SICK FX0-GPNT00000: All versions
SICK FX0-GPNT00010: All versions
SICK FX0-GPNT00030: All versions
SICK UE410-EN1 FLEXI: All versions
SICK UE410-EN3 FLEXI: All versions
SICK UE410-EN4 FLEXI: All versions
CPE2.3- cpe:2.3:h:sick_ag:sick_fx0-gent00000:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gent00010:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gent00030:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gmod00000:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gmod00010:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gpnt00000:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gpnt00010:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_fx0-gpnt00030:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_ue410-en1_flexi:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_ue410-en3_flexi:*:*:*:*:*:*:*:*
- cpe:2.3:h:sick_ag:sick_ue410-en4_flexi:*:*:*:*:*:*:*:*
https://sick.com/.well-known/csaf/white/2023/sca-2023-0003.json
https://sick.com/psirt
https://sick.com/.well-known/csaf/white/2023/sca-2023-0003.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
