JVNDB-2023-002787

OMRON CJ series and CS/CJ Series EtherNet/IT unit vulnerable to Denial-of-Service (DoS)

Denial-of-service (DoS) vulnerability due to improper validation of specified type of input (CWE-1287) issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit provided by OMRON Corporation.

OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

OMRON Corporation

• CJ2H-CPU6[]-EIP Unit version of the built-in EtherNet/IP section Ver. 3.04 and earlier (CJ2H CPU Unit)
• CJ2M-CPU3[] Unit version of the built-in EtherNet/IP section Ver. 2.18 and earlier (CJ2M CPU Unit)
• CJ1W-EIP21 V3.04 and earlier (CS/CJ Series EtherNet/IP Unit)
• CS1W-EIP21 V3.04 and earlier (CS/CJ Series EtherNet/IP Unit)

Regarding how to check the affected products/versions, refer to the manuals listed below.
* CJ Series CPU Unit User's Manual (Hardware) (W472-E1-15) "Unit Versions of CJ2 CPU Units" section
* CS/CJ Series EtherNet/IP Units Operation Manual (W465-E1-12) "Unit Versions of CS/CJ-series" section

If an affected product receives a packet which is specially crafted by a remote unauthenticated attacker, the unit of the affected product may fall into a denial-of-service (DoS) condition.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

Regarding the details of how to obtain the update or how to update the firmware, contact the developer and/or the sales representatives.

OMRON Corporation

• OMRON Corporation : Vulnerability that could cause a Denial of Service (DoS) state in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the CS/CJ series EtherNet/IP unit

1. Improper Validation of Specified Type of Input(CWE-1287) [Other]

1. CVE-2023-38744

1. JVN : JVNVU#92193064
2. National Vulnerability Database (NVD) : CVE-2023-38744

• [2023/08/03]
    Web page was published