[Japanese]

JVNDB-2023-001534

Security Issues in FINS protocol

Overview

FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the configuration on FINS-compliant devices. The supported FINS commands vary depending on the products.

* I/O memory area read/write
* Parameter area read/write
* Program area read/write
* Manage operation mode
* System configuration read
* CPU unit status read
* Time information access
* Message read/delete
* Manage access privileges
* Read fault history report, etc.
* File operation
* Forced set/reset

FINS message consists of "FINS header", "FINS command code" and "parameter". When receiving a FINS command message, the entity conducts the operation corresponding to the "FINS command code", and sends the result as a response message to the destinations listed in "FINS header" of the command message. FINS protocol is designed with the assumptions that the network is closed inside the device, the production lines, or within the factory, and does not provide any encryption, data verification, nor authentication functions. Recent security researches show multiple issues on FINS protocol, under the conditions which FINS protocol does not consider, e.g., a FINS network is connected to other outside networks, FINS network can be physically accessed, etc. The following issues on FINS protocol have been reported:

1. Plaintext communication
Encrypted communication is not defined in FINS protocol. FINS messages are transmitted unencrypted and the contents can be seen easily when intercepted. Also alterations of FINS messages cannot be detected.

* Clear-text Transmission of Sensitive Information (CWE-319)
* Insufficient Verification of Data Authenticity (CWE-345)

2. No authentication required
Authentication is not defined in FINS protocol. Attacks from malicious devices cannot be detected.

* Authentication Bypass by Spoofing (CWE-290)
* Authentication Bypass by Capture-replay (CWE-294)
* Missing Authentication for Critical Function (CWE-306)
* Insufficient Verification of Data Authenticity (CWE-345)
* Uncontrolled Resource Consumption (CWE-400)
* Unrestricted Externally Accessible Lock(CWE-412)
* Improper Control of Interaction Frequency (CWE-799)

This document is written by Omron and JPCERT/CC.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [NVD Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

Omron products which implement FINS protocol include:

OMRON Corporation
  • SYSMAC CJ Series CPU Unit all versions
  • SYSMAC CP Series CPU Unit all versions
  • SYSMAC CS Series CPU Unit all versions
  • SYSMAC NJ Series CPU Unit all versions
  • SYSMAC NX102 Series CPU Unit all versions
  • SYSMAC NX1P Series CPU Unit all versions
  • SYSMAC NX7 Database Connection CPU Unit all versions

Impact

When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device.
Solution

According to the developer, no revision of FINS protocol is planned. Users of the FINS products should consider the issues described in
Description and Impact, and use the products in an appropriately protected environment. To minimize the risks, the vendor recommends the following:

1. Do not use FINS (Disable FINS)
In FA networks where FINS is not used, disable FINS functionality. The following products allow to disable FINS:

* SYSMAC NJ-series CPU Units (Ver.1.49 or later)
* SYSMAC NX1P-series CPU Units (Ver.1.49 or later)
* SYSMAC NX102-series CPU Units (Ver.1.49 or later)
* SYSMAC NX7 Database Connection CPU Units (Ver.1.29 or later)

2.Illegal access prevention

* Restrict the access source IP address
* Restrict unauthorized network access
* Enable FINS write protection function
* Restrict the write permission by using PLC protection password
* Prohibit PLC program changes by using the hardware DIP switch on PLC

Additional recommendations:

* Minimize the network access of control systems or devices, and restrict access from an untrusted device
* Separate from IT networks by using Firewall (Shut down unused ports, restrict communication hosts and restrict access to FINS port(9600))
* Use Virtual Private Network (VPN) when remote accessing to control systems or devices
Use strong passwords and change them frequently
* Incorporate a physical security control which allows only authorized users to access control systems and devices
* Virus scan when using external storage device such as USB memory sticks on control systems or devices
* Incorporate multi-factor authentication for remote accessing the control systems or devices

3. Antivirus protection
Incorporate and maintain latest and commercial grade antivirus software

4. Data input/output protection
Validation of backups, range checks, etc. as a preparation for unintended alteration of input/output data of control systems or devices

5. Restoration of lost data
Frequent backups of the configuration data as a countermeasure for data loss

The developer states that the issues caused from FINS protocol will be treated as CVE-2023-27396.
Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Authentication Bypass by Spoofing(CWE-290) [Other]
  2. Authentication Bypass by Capture-replay(CWE-294) [Other]
  3. Missing Authentication for Critical Function(CWE-306) [Other]
  4. Cleartext Transmission of Sensitive Information(CWE-319) [Other]
  5. Insufficient Verification of Data Authenticity(CWE-345) [Other]
  6. Uncontrolled Resource Consumption ('Resource Exhaustion')(CWE-400) [Other]
  7. Unrestricted Externally Accessible Lock(CWE-412) [Other]
  8. Improper Control of Interaction Frequency(CWE-799) [Other]
CVE (What is CVE?)

  1. CVE-2023-27396
References

  1. JVN : JVNTA#91513661
  2. National Vulnerability Database (NVD) : CVE-2023-27396
  3. ICS-CERT ADVISORY : ICSA-20-063-03
  4. ICS-CERT ADVISORY : ICSA-19-346-02
  5. ICS-CERT ADVISORY : ICSA-22-179-02
Revision History

  • [2023/04/18]
      Web page was published
  • [2023/09/19]
      Affected Products : Product version was modified
  • [2024/05/23]
      CVSS Severity was modified
      References : Content was added