SICK Enterprise and Logistic Analytics Products User Enumeration Vulnerability

A vulnerability allowing user enumeration has been identified in SICK Enterprise Analytics and SICK Logistic Analytics products. This issue arises from a lack of authentication on certain endpoints, enabling unauthenticated users to request data and gather information about users. The vulnerability could potentially be exploited to bypass authentication and access sensitive information, as the application provides access to a login-protected H2 database for caching purposes, with usernames prefilled.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can gather information about existing usernames in the system. This could be further exploited to gain unauthorized access, especially in conjunction with other vulnerabilities that bypass authentication or expose sensitive information.

Remediation

Users are advised to ensure that only trusted entities have access to the affected SICK Enterprise Analytics and SICK Logistic Analytics products. Additionally, general security measures should be applied when operating these products. SICK's Operating Guidelines and ICS-CERT recommended practices on Industrial Security can provide further assistance in implementing these security practices.