|
[Japanese]
|
JVNDB-2022-002691
|
Multiple vulnerabilities in OMRON products
|
|
Machine automation controller NJ/NX series, Automation software "Sysmac Studio", and programmable terminal (PT) NA series provided by OMRON Corporation contain multiple vulnerabilities in the communication function.
The vulnerabilities are as follows.
* Use of Hard-coded Credentials (CWE-798) - CVE-2022-34151
* Authentication Bypass by Capture-replay (CWE-294) - CVE-2022-33208
* Active Debug Code (CWE-489) - CVE-2022-33971
OMRON Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
|
|
CVSS V3 Severity:
Base Metrics 9.4 (Critical) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-34151
|
CVSS V3 Severity:
Base Metrics7.5 (High) [Other]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-33208
|
CVSS V3 Severity:
Base Metrics8.3 (High) [Other]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-33971
|
|
|
OMRON Corporation
- Automation software "Sysmac Studio"
- Programmable terminal (PT) NA series
- Machine automation controller NJ series
- Machine automation controller NX series
|
For the details regarding the affected products, model numbers, and version numbers, refer to OMRON's advisories.
OMRON also suggests user to see the respective products' manuals for the details regarding how to check the affected products, model numbers, and versions.
|
|
Impacts of each vulnerability are as follows.
* A remote attacker who successfully obtained the user credentials by analyzing the affected product may access the controller - CVE-2022-34151
* A remote attacker who can analyze the communication between the affected controller and automation software "Sysmac Studio" and/or a programmable terminal (PT) may access the controller - CVE-2022-33208
* An adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally may cause a denial-of-service (DoS) condition or execute a malicious program - CVE-2022-33971
|
|
[Update the Software]
OMRON states that the updates for the respective products will be released gradually, therefore users are suggested to contact OMRON sales representatives or distributors for the latest information regarding the updates.
* Inquiry from the users in Japan (in Japanese)
* Inquiry from the users outside Japan
* "Sysmac Studio" users are suggested to update the software to the latest versions using the installed Omron Automation Software AutoUpdate tool
Furthermore, it is recommended for the users to apply workarounds to mitigate the impacts of these vulnerabilities.
For the details of the workarounds, refer to OMRON's advisories.
|
|
OMRON Corporation
|
|
- Authentication Bypass by Capture-replay(CWE-294) [Other]
- Active Debug Code(CWE-489) [Other]
- Use of Hard-coded Credentials(CWE-798) [Other]
|
|
- CVE-2022-34151
- CVE-2022-33208
- CVE-2022-33971
|
|
- JVN : JVNVU#97050784
- National Vulnerability Database (NVD) : CVE-2022-34151
- National Vulnerability Database (NVD) : CVE-2022-33208
- National Vulnerability Database (NVD) : CVE-2022-33971
- US-CERT National Cyber Awareness System Alerts : AA22-103A
|
|
- [2022/11/10]
Web page was published
|
