SICK Analytics Products Uncontrolled Resource Consumption Vulnerability

A vulnerability exists in SICK Enterprise Analytics and SICK Logistic Analytics products, all versions, allowing users to send unvalidated large payloads during login attempts. This flaw creates excessive log entries, potentially leading to log dilution or manipulation. Additionally, the lack of proper authentication on multiple endpoints exposes sensitive application information to unauthorized users.

Impact

Exploitation of this vulnerability could result in unauthorized access to the application, allowing attackers to manipulate or falsify log entries by injecting large payloads through an unvalidated POST request. This could obscure legitimate activities or create false records, complicating incident response and forensic analysis.

Reproduction

To reproduce this vulnerability, send a POST request to the application's login endpoint with oversized payloads in the request body. The application will log these entries, creating a record of the login attempt that can be manipulated or exaggerated.

Remediation

SICK recommends updating to version 4.6.2 or later for the Baggage Analytics, Tire Analytics, Package Analytics, and Logistic Diagnostic Analytics products. For SICK Enterprise Analytics, no specific version update is mentioned, but general security practices should be followed.