[Japanese]

JVNDB-2022-002765

Multiple vulnerabilities in OMRON CX-Programmer

Overview

CX-Programmer provided by Omron Corporation contains multiple vulnerabilities listed below.

* Use-after-free (CWE-416) - CVE-2022-43508, CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
* Out-of-bounds Write (CWE-787) - CVE-2022-43509
* Stack-based Buffer Overflow (CWE-121) - CVE-2022-43667

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-43508,CVE-2023-22277,CVE-2023-22317,CVE-2023-22314


CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-43509


CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-43667
Affected Products


OMRON Corporation
  • CX-Programmer Ver.9.77 and earlier - CVE-2022-43508
  • CX-Programmer Ver.9.78 and earlier - CVE-2022-43509, CVE-2022-43667
  • CX-Programmer Ver.9.79 and earlier - CVE-2023-22277, CVE-2023-22317, CVE-2023-22314

Impact

By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
Solution

[Update the Software]
Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions.
The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update.

For more information, refer to the information provided by the developer.
Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
  2. Use After Free(CWE-416) [Other]
  3. Out-of-bounds Write(CWE-787) [Other]
CVE (What is CVE?)

  1. CVE-2022-43508
  2. CVE-2022-43509
  3. CVE-2022-43667
  4. CVE-2023-22277
  5. CVE-2023-22314
  6. CVE-2023-22317
References

  1. JVN : JVNVU#92877622
  2. National Vulnerability Database (NVD) : CVE-2022-43508
  3. National Vulnerability Database (NVD) : CVE-2022-43509
  4. National Vulnerability Database (NVD) : CVE-2022-43667
  5. IPA SECURITY ALERTS : ICSA-22-356-04
Revision History

  • [2022/11/28]
      Web page was published
  • [2023/01/12]
      Overview was modified
      CVSS Severity was modified
      Affected Products : Product versions were added
      Solution was modified
      CVE : CVE-2023-22277,CVE-2023-22314,CVE-2023-22317 was added
      References : Contents were added