Improper Verification of Source of a Communication Channel in Omron PLC CS series and Omron PLC CJ series

#VU23586 Improper Verification of Source of a Communication Channel in Omron PLC CS series and Omron PLC CJ series

Published: 2019-12-13

Vulnerability identifier: #VU23586

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-18269

CWE-ID: CWE-940

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Omron PLC CS series
Hardware solutions / Other hardware appliances
Omron PLC CJ series
Hardware solutions / Other hardware appliances

Vendor: Omron

Description

The vulnerability allows a remote attacker to gain access to unexpected functionality.

The vulnerability exists due to incomplete check on FINS header. A remote attacker can send a specially crafted request, gain privileges and access unexpected functionality.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Omron PLC CS series: All versions

Omron PLC CJ series: All versions

External links
http://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Omron PLC CJ, CS and NJ Series