[Japanese]

JVNDB-2024-000089

WindLDR and WindO/I-NV4 store sensitive information in cleartext

Overview

PLC programming software "WindLDR" and Operator Interfaces' Touchscreen Programming Software "WindO/I-NV4" provided by IDEC Corporation store sensitive information in cleartext form (CWE-312).

Yuki Meguro of Toinx Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
[Comment]
Confidentiality(C) impact is accessed as primary, and Integrity(I) and Availability(A) impacts are assessed as secondary.
Affected Products


IDEC Corporation
  • WindLDR Ver.9.1.0 and earlier
  • WindO/I-NV4 Ver.3.0.1 and earlier

Impact

An attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:

* WindLDR Ver.9.2.0
* WindO/I-NV4 Ver.3.1.0
Vendor Information

IDEC Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-41716
References

  1. JVN : JVN#08342147
  2. ICS-CERT ADVISORY : ICSA-24-263-03
Revision History

  • [2024/08/29]
      Web page was published
  • [2024/09/24]
      References : Content was added

Date Public2024/08/29
Date First Published2024/08/29
Date Last Updated2024/09/24