Security Advisory VISULENS 550

Vulnerability Title

DoS vulnerability of VISULENS 550 communication module

Vulnerability description

General:
A denial of service (DoS) attack is an attack where an attacker tries to make a specific resource unavailable for the original purpose. This is usually achieved by flooding the respective resource with requests or traffic so that the respective resource cannot respond or crashes.

VISULENS 550:
On the VISULENS 550 a vulnerability of the communication component against DoS attacks has been discovered.
By exploiting the respective vulnerability via a DoS attack, the communication module can be forced to crash so that a network communication from or to the device is no longer possible.
The measurement functionality of the VISULENS 550 itself will function as intended during the attack as well as when the communication module might not be available after the attack.

Severity:
• CVSS v3.1 Base score: 7.5
• CVSS v3.1 Environmental Score: 6.5
• CVSS v3.1 Modified Impact Subscore: 3.6
• CVSS v3.1 vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/CR:X/IR:X/AR:X/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Mitigations for affected versions:
After the DoS attack, the system can simply be rebooted to its original state and functionality. As long as the DoS attack is still present, the communication module cannot be brought back to a functional state.

Mitigation:
Carl Zeiss Meditec AG is currently working on fixing the problem either in a dedicated patch or in the next upcoming release. This article will be updated as soon as a fix is available.

Acknowledgements:
We would thank Jean Pereira for reporting that vulnerability.