CVE-2022-27584

Password recovery vulnerability in SICK SIM2000ST Partnumber 1080579 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The firmware versions <=1.7.0 allow to optionally disable device configuration over the network interfaces. Please make sure that you apply general security practices when operating the SIM2000ST. A fix is planned but not yet scheduled.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://sick.com/psirt	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sick:sim2000st_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:sick:sim2000st:-:*:*:*:*:*:*:*

Information

Published : 2022-11-01 14:15

Updated : 2022-12-16 08:15

NVD link : CVE-2022-27584

Mitre link : CVE-2022-27584

JSON object : View

CWE

CWE-306

Missing Authentication for Critical Function

Products Affected

sick

sim2000st_firmware
sim2000st

9.8 /10