[Japanese]
|
JVNDB-2024-002942
|
OMRON NJ/NX series vulnerable to path traversal
|
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
|
CVSS V3 Severity: Base Metrics 7.2 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
OMRON Corporation
- Machine automation controller NJ series NJ101-[][][][] Ver.1.64.03 and earlier
- Machine automation controller NJ series NJ301-[][][][] Ver.1.64.00 and earlier
- Machine automation controller NJ series NJ501-1[]0[] Ver.1.64.03 and earlier
- Machine automation controller NJ series NJ501-1[]2[] Ver.1.64.00 and earlier
- Machine automation controller NJ series NJ501-1340 Ver.1.64.00 and earlier
- Machine automation controller NJ series NJ501-4[][][] Ver.1.64.00 and earlier
- Machine automation controller NJ series NJ501-5300 Ver.1.64.00 and earlier
- Machine automation controller NJ series NJ501-R[][][] Ver.1.64.00 and earlier
- Machine automation controller NX series NX1P2-[][][][][][] Ver.1.64.00 and earlier
- Machine automation controller NX series NX1P2-[][][][][][]1 Ver.1.64.00 and earlier
- Machine automation controller NX series NX102-[][][][] Ver.1.64.00 and earlier
- Machine automation controller NX series NX502-[][][][] Ver.1.65.01 and earlier
- Machine automation controller NX series NX701-[][][][] Ver.1.35.00 and earlier
- Machine automation controller NX series NX-EIP201 Ver.1.00.01 and earlier
|
As for the details of the affected products/models/versions, refer to the information provided by the developer.
|
An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.
|
The developer states that the updates that contain a fix for this vulnerability are scheduled to be released in April 2024.
[Apply the workarounds]
The developer recommends that users apply the following workarounds to mitigate the impact of this vulnerability.
- Use "Secure Communication Function" which is implemented in the following products/versions
- NJ series, NX102, NX1P2 CPU Unit Ver.1.49 and later
- NX701 CPU Unit Ver.1.29 and later
- NX502 CPU Unit Ver.1.60 and later
- NX-EIP201 Ver.1.00 and later
- Restrict access from the untrusted devices and only allow limited network accesses
- Isolate from IT network by placing firewall (block the unused communication ports, restrict communication hosts, etc.)
- Use Virtual Private Network (VPN)
For more information, refer to the information provided by the developer.
|
OMRON Corporation
|
- Path Traversal(CWE-22) [Other]
|
- CVE-2024-27121
|
- JVN : JVNVU#95852116
|
- [2024/03/08]
Web page was published
|