Firmware Update Vulnerability: Remote Code Execution Risks
CVE-2024-10771

8.8HIGH

Key Information:

Vendor: Sick Ag
Status: Sick Inspectorp61x; Sick Inspectorp62x; Tim3xx
Vendor: CVE Published:; 6 December 2024

Summary

The vulnerability occurs due to inadequate input validation in the firmware update process of SICK products. An attacker with network access who possesses a user-level 'Service' account can exploit this weakness to execute arbitrary commands with root user privileges. This could lead to unauthorized access and potential system compromise. Organizations using affected SICK products should take immediate action to review their security protocols and ensure that firmware updates are applied promptly to mitigate risks.

Affected Version(s)

SICK InspectorP61x 0

SICK InspectorP62x 0

TiM3xx 0

References

https://sick.com/psirt

x_SICK PSIRT Website

https://cdn.sick.com/media/docs/1/11/411/Special_informat...

x_SICK Operating Guidelines

https://www.cisa.gov/resources-tools/resources/ics-recomm...

x_ICS-CERT recommended practices on Industrial Security

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Nov 4, 2024

Credit

Manuel Stotz

Tobias Jaeger