CVE-2023-23450 in FTMg Air Flow Sensor
Summary
by MITRE • 05/15/2023
Use of Password Hash Instead of Password for Authentication in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to use a password hash instead of an actual password to login to a valid user account via the REST interface.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/08/2023
This vulnerability exists in SICK FTMg AIR flow sensors with specific part numbers including 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, and 1122526. The flaw represents a critical authentication bypass weakness that allows unprivileged remote attackers to gain unauthorized access to valid user accounts through the device's REST interface. The vulnerability stems from the system's improper handling of authentication credentials where password hashes are accepted in place of actual passwords, fundamentally undermining the security mechanism designed to protect device access. This issue falls under the CWE-287 category of Improper Authentication, specifically addressing weak authentication mechanisms that fail to properly validate user credentials.
The technical implementation of this vulnerability allows an attacker to exploit the authentication flow by submitting a password hash instead of a plaintext password during the login process. This misconfiguration creates a pathway for unauthorized access where the system accepts the hash as a valid authentication token, effectively bypassing the normal password verification process. The REST interface serves as the attack vector, enabling remote exploitation without requiring physical access to the device or prior knowledge of valid passwords. This weakness is particularly concerning because it operates at the authentication layer, allowing attackers to impersonate legitimate users and potentially gain full administrative control over the sensor devices.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to potentially manipulate sensor data, modify device configurations, or disrupt industrial processes. Flow sensors are often critical components in industrial automation systems where accurate data measurement and control are essential for safety and operational efficiency. An attacker who successfully exploits this vulnerability could alter flow measurements, disable alarms, or manipulate sensor readings which might lead to operational failures, safety hazards, or financial losses. The remote nature of the attack means that threat actors can target these devices from anywhere on the network, making the attack surface significantly larger than if physical access were required.
Organizations should implement immediate mitigations including disabling unnecessary REST interfaces when not required, implementing network segmentation to isolate these devices from critical systems, and ensuring that all devices are updated with the latest firmware releases from SICK. The vulnerability aligns with ATT&CK technique T1078.004 for Valid Accounts and T1110.003 for Brute Force, as attackers could leverage this weakness to authenticate using password hashes obtained through other means. Regular security assessments of industrial control systems should include verification of authentication mechanisms, and network monitoring should be enhanced to detect unusual authentication patterns or unauthorized access attempts to these devices. Additionally, organizations should consider implementing multi-factor authentication mechanisms where possible and establish robust credential management policies to reduce the risk of credential compromise.