{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.", "title": "General Security Measures" }, { "category": "general", "text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.", "title": "Vulnerability Classification" }, { "category": "summary", "text": "SICK received a report about a vulnerability in the SICK Overall Equipment Effectiveness (OEE). The services under the OEE application are started in the context of system privileges. \n\nAn attacker can perform a privilege escalation if the application is installed in a directory, where non \nauthenticated or low privilege users can modify the content of the OEE application. \n\nSICK recommends implementing the mitigations below." } ], "publisher": { "category": "vendor", "contact_details": "psirt@sick.de", "issuing_authority": "SICK AG issues and issues in EHS products (when related to the Endress+Hauser SICK (EHS) joint venture).", "name": "SICK PSIRT", "namespace": "https://www.sick.com/psirt" }, "references": [ { "summary": "SICK PSIRT Security Advisories", "url": "https://sick.com/psirt" }, { "summary": "SICK Operating Guidelines", "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf" }, { "summary": "ICS-CERT recommended practices on Industrial Security", "url": "http://ics-cert.us-cert.gov/content/recommended-practices" }, { "summary": "CVSS v3.1 Calculator", "url": "https://www.first.org/cvss/calculator/3.1" }, { "category": "self", "summary": "The canonical URL.", "url": "https://www.sick.com/.well-known/csaf/white/2022/sca-2022-0005.json" } ], "title": "Vulnerability in SICK Overall Equipment Effectiveness (OEE)", "tracking": { "current_release_date": "2022-04-11T15:00:00.000Z", "generator": { "date": "2023-02-10T08:54:34.372Z", "engine": { "name": "Secvisogram", "version": "2.0.0" } }, "id": "SCA-2022-0005", "initial_release_date": "2022-04-11T15:00:00.000Z", "revision_history": [ { "date": "2022-04-11T15:00:00.000Z", "number": "1", "summary": "Initial Release" }, { "date": "2023-02-10T11:00:00.000Z", "number": "2", "summary": "Updated Advisory (only visual changes)" }, { "number": "3", "date": "2025-07-30T07:29:45.000Z", "summary": "Updated Advisory: URL for SICK Operating Guidelines has been updated" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "0.5.1", "product": { "name": "SICK Overall Equipment Effectiveness (OEE) 0.5.1", "product_id": "CSAFPID-0001", "product_identification_helper": { "skus": [ "1613866" ] } } } ], "category": "product_name", "name": "Overall Equipment Effectiveness (OEE)" } ], "category": "vendor", "name": "SICK AG" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-27578", "cwe": { "id": "CWE-250", "name": "Execution with Unnecessary Privileges" }, "notes": [ { "category": "description", "text": "An attacker can perform a privilege escalation through the SICK OEE if the application is installed in a directory where non authenticated or low privilege users can modify its content.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "CVE Entry", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27578" } ], "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T10:00:00.000Z", "details": "SICK recommends installing the application in a directory, that is only modifiable by system or \nadministrator users. The default installation path of the SICK OEE application is %ProgramFiles% [i.e. \n“C:\\Program Files” or “C:\\Programme” depending on the installation language], which is by default only \nmodifiable by system or administrator users. ", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ] } ] }