SB2024083016 - Multiple vulnerabilities in IDEC Programmable Logic Controllers

Description

This security bulletin contains information about 2 vulnerabilities.

1) Generation of Predictable Numbers or Identifiers (CVE-ID: CVE-2024-28957)

CWE-ID: CWE-340 - Generation of Predictable Numbers or Identifiers

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to generation of predictable numbers or identifiers. A remote attacker can predict some packet header IDs of the device and interfere communications.

2) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-41927)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. An attacker with physical access can gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/vu/JVNVU96959731/index.html
• https://us.idec.com/media/24-RD-0256-EN.pdf