CVE-2023-23450

Summary

Use of Password Hash Instead of Password for Authentication in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to use a password hash instead of an actual password to login to a valid user account via the REST interface.

Affected Software

VendorProductVersion RangeStatus
SICK AGSICK FTMG-ESD15AXX AIR FLOW SENSORall firmware versionsaffected
SICK AGSICK FTMG-ESD20AXX AIR FLOW SENSORall firmware versionsaffected
SICK AGSICK FTMG-ESD25AXX AIR FLOW SENSORall firmware versionsaffected
SICK AGSICK FTMG-ESN40SXX AIR FLOW SENSORall firmware versionsaffected
SICK AGSICK FTMG-ESN50SXX AIR FLOW SENSORall firmware versionsaffected
SICK AGSICK FTMG-ESR40SXX AIR FLOW SENSORall firmware versionsaffected
SICK AGSICK FTMG-ESR50SXX AIR FLOW SENSORall firmware versionsaffected

Weaknesses

  • CWE-836: CWE-836 (Use of Password Hash Instead of Password for Authentication)

Workarounds

Please make sure that you apply general security practices when operating the SICK FTMg like network segmentation. The following General Security Practices and Operating Guidelines could mitigate the associated security risk.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References