Full Report
The vulnerability is caused by the use of hard-coded credentials
Analysis Summary
# Vulnerability: Use of Hard-coded Credentials in SICK MSC800 PLC
## CVE Details
- **CVE ID:** CVE-2019-11200
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- **Products:** SICK MSC800 (Modular System Controller)
- **Versions:** All versions prior to firmware version 2.10.0
- **Configurations:** Systems where the device is reachable via the network and using default/factory credential settings.
## Vulnerability Description
The SICK MSC800 PLC contains hard-coded credentials within its firmware. This flaw allows an attacker to gain unauthorized access to the device’s management interfaces. Because the credentials are fixed and identical across all affected units, an attacker with network access to the device can authenticate with administrative privileges without needing to provide unique or user-defined credentials.
## Exploitation
- **Status:** PoC available (Technical details of the credentials have been documented in security research).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to device configuration and sensitive operational data)
- **Integrity:** High (Ability to modify PLC logic, configuration, and system parameters)
- **Availability:** High (Ability to reboot the device, disrupt industrial processes, or brick the hardware)
## Remediation
### Patches
- **Firmware Update:** Upgrade to firmware version **2.10.0** or later. SICK has released updates that address the hard-coded credential issue and enforce better credential management.
### Workarounds
- **Network Isolation:** Ensure the MSC800 is not accessible from the public internet.
- **Micro-segmentation:** Place the PLC behind a firewall or in a secure industrial VLAN (demilitarized zone) to restrict access to trusted engineering workstations only.
- **VPN:** Use secure VPN tunnels for any required remote access to the PLC environment.
## Detection
- **Indicators of Compromise:** Monitoring for unauthorized successful logins originating from unexpected IP addresses.
- **Detection methods and tools:**
- Use industrial IDS/IPS signatures aimed at detecting MSC800 management traffic.
- Audit network traffic for use of the specific hard-coded account strings if identified in local asset inventories.
## References
- **Vendor Advisory:** hxxps://www[.]sick[.]com/de/en/service-and-support/cybersecurity/w/cybersecurity/
- **Kaspersky ICS CERT:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2019/06/28/critical-vulnerability-in-sick-msc800-plc/
- **NVD Entry:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2019-11200