CVE-2023-3273 - Vulnerability Details - OpenCVE

Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP
address based on missing access control.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00557.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Sick	Icr890-4 Icr890-4 Firmware
Sick Ag	Icr890-4

Configuration 1 [-]

AND

cpe:2.3:o:sick:icr890-4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sick:icr890-4:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-43949	Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP address based on missing access control.

Fixes

Solution

No solution given by the vendor.

Workaround

SICK recommends to disable port 2111 & 2122 once the SICK ICR890-4 is put into operation.

References

Link	Providers
https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json
https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf
https://sick.com/psirt

History

Tue, 12 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sick Ag Sick Ag icr890-4
CPEs		cpe:2.3:a:sick_ag:icr890-4::::::::
Vendors & Products		Sick Ag Sick Ag icr890-4
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: SICK AG

Published: 2023-07-10T09:31:17.829Z

Updated: 2024-11-12T14:17:56.263Z

Reserved: 2023-06-15T11:32:34.499Z

Link: CVE-2023-3273

Vulnrichment

Updated: 2024-08-02T06:48:08.408Z

NVD

Status : Modified

Published: 2023-07-10T16:15:55.560

Modified: 2024-11-21T08:16:52.610

Link: CVE-2023-3273

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3273", "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "state": "PUBLISHED", "assignerShortName": "SICK AG", "dateReserved": "2023-06-15T11:32:34.499Z", "datePublished": "2023-07-10T09:31:17.829Z", "dateUpdated": "2024-11-12T14:17:56.263Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "ICR890-4", "vendor": "SICK AG", "versions": [{"lessThan": "2.5.0", "status": "affected", "version": "0", "versionType": "*"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": true, "type": "text/html", "value": "\n\nImproper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP\naddress based on missing access control.\n\n\n"}], "value": "\nImproper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP\naddress based on missing access control.\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "shortName": "SICK AG", "dateUpdated": "2023-07-10T09:39:09.749Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://sick.com/psirt"}, {"tags": ["vendor-advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"}, {"tags": ["x_csaf"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"}], "source": {"discovery": "INTERNAL"}, "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n SICK recommends to disable port 2111 & 2122 once the SICK ICR890-4 is put into operation.\n\n<br>"}], "value": "\n SICK recommends to disable port 2111 & 2122 once the SICK ICR890-4 is put into operation.\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:48:08.408Z"}, "title": "CVE Program Container", "references": [{"tags": ["issue-tracking", "x_transferred"], "url": "https://sick.com/psirt"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"}, {"tags": ["x_csaf", "x_transferred"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"}]}, {"affected": [{"vendor": "sick_ag", "product": "icr890-4", "cpes": ["cpe:2.3:a:sick_ag:icr890-4:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.5.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-12T14:17:22.856069Z", "id": "CVE-2023-3273", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T14:17:56.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sick.com/psirt", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json", "tags": ["x_csaf", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:48:08.408Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3273", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-12T14:17:22.856069Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sick_ag:icr890-4:*:*:*:*:*:*:*:*"], "vendor": "sick_ag", "product": "icr890-4", "versions": [{"status": "affected", "version": "0", "lessThan": "2.5.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T14:17:50.441Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SICK AG", "product": "ICR890-4", "versions": [{"status": "affected", "version": "0", "lessThan": "2.5.0", "versionType": "*"}], "defaultStatus": "affected"}], "references": [{"url": "https://sick.com/psirt", "tags": ["issue-tracking"]}, {"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf", "tags": ["vendor-advisory"]}, {"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json", "tags": ["x_csaf"]}], "workarounds": [{"lang": "en", "value": "\n SICK recommends to disable port 2111 & 2122 once the SICK ICR890-4 is put into operation.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n SICK recommends to disable port 2111 & 2122 once the SICK ICR890-4 is put into operation.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nImproper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP\naddress based on missing access control.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\nImproper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP\naddress based on missing access control.\n\n\n", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "shortName": "SICK AG", "dateUpdated": "2023-07-10T09:39:09.749Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3273", "state": "PUBLISHED", "dateUpdated": "2024-11-12T14:17:56.263Z", "dateReserved": "2023-06-15T11:32:34.499Z", "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "datePublished": "2023-07-10T09:31:17.829Z", "assignerShortName": "SICK AG"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sick:icr890-4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9781FA2-2446-4587-8BBA-1AC342BC5A0F", "versionEndExcluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sick:icr890-4:-:*:*:*:*:*:*:*", "matchCriteriaId": "8E1AF1D7-8380-4B5C-8258-214F00638CC2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nImproper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP\naddress based on missing access control.\n\n\n"}], "id": "CVE-2023-3273", "lastModified": "2024-11-21T08:16:52.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@sick.de", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-10T16:15:55.560", "references": [{"source": "psirt@sick.de", "tags": ["Vendor Advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"}, {"source": "psirt@sick.de", "tags": ["Vendor Advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"}, {"source": "psirt@sick.de", "tags": ["Product"], "url": "https://sick.com/psirt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://sick.com/psirt"}], "sourceIdentifier": "psirt@sick.de", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@sick.de", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}