The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.
The password storage mechanism is based on a weak hashing algorithm (CWE-328) that does not provide adequate cryptographic resistance. An attacker who gains access to stored password hashes can calculate the matching password in a relatively short time in an unauthorized manner. This results from the algorithm's vulnerability to dictionary attacks, brute-force attacks, or precomputed hash attacks (e.g., rainbow tables).
An attacker can recover the authentication password to the device, leading to complete breach of confidentiality, integrity, and availability of the system — including unauthorized takeover of device control.
Apply patches available from the manufacturer according to references (sick.com/psirt). Additionally, it is recommended to change passwords on devices, restrict network access to devices, and follow CISA ICS guidelines for securing industrial control systems.
SICK DL100 devices — specific versions indicated in manufacturer references (sick.com/psirt and SICK IM0084411 documentation)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H