CVE-2024-10773
📋 TL;DR
This vulnerability allows attackers to perform pass-the-hash attacks using hardcoded credentials for hidden user levels, granting full device access. It affects SICK industrial automation devices with specific firmware versions. Organizations using these devices in operational technology environments are at risk.
💻 Affected Systems
- SICK industrial automation devices (specific models not listed in provided references)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to manipulate industrial processes, steal sensitive data, or disrupt operations in critical infrastructure environments.
Likely Case
Unauthorized access to device configuration and operational data, potentially leading to production disruption or safety system manipulation.
If Mitigated
Limited impact if devices are properly segmented, monitored, and have network access controls preventing unauthorized authentication attempts.
🎯 Exploit Status
Pass-the-hash attacks are well-known techniques requiring network access to authentication services. Hidden user levels with hardcoded credentials make exploitation straightforward once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://sick.com/psirt
Restart Required: Yes
Instructions:
1. Check SICK PSIRT for affected products and patches. 2. Download appropriate firmware updates. 3. Apply updates following vendor procedures. 4. Verify patch application and restart devices as required.
🔧 Temporary Workarounds
Network segmentation
allIsolate affected devices in separate network segments with strict access controls
Authentication monitoring
allImplement monitoring for authentication attempts to hidden user accounts
🧯 If You Can't Patch
- Implement strict network access controls to limit authentication attempts to authorized systems only
- Deploy intrusion detection systems monitoring for pass-the-hash attack patterns and unusual authentication
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against vendor advisory and test for hidden user level authenticationCheck Version:
Device-specific command - consult SICK documentation for firmware version checkingVerify Fix Applied:
Verify firmware version matches patched version from vendor advisory and test that hidden user levels no longer accept authentication📡 Detection & Monitoring
Log Indicators:
- Authentication attempts to hidden user accounts
- Multiple failed authentication attempts followed by success
- Unusual authentication patterns from unexpected sources
Network Indicators:
- NTLM/LM authentication traffic patterns consistent with pass-the-hash attacks
- Authentication requests to industrial device management interfaces
SIEM Query:
source="device_logs" AND (event_type="authentication" AND (user="*hidden*" OR user="*admin*" OR user="*system*"))🔗 References
- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
- https://sick.com/psirt
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.json
- https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.pdf
