Vulnerabilites related to omron - sysmac_cs1_firmware
Vulnerability from fkie_nvd
Published
2022-07-26 22:15
Modified
2024-11-21 07:04
Severity ?
Summary
Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory, US Government Resource | |
| cve@mitre.org | https://www.forescout.com/blog/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.forescout.com/blog/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | sysmac_cs1_firmware | * | |
| omron | sysmac_cs1 | - | |
| omron | sysmac_cj2m_firmware | * | |
| omron | sysmac_cj2m | - | |
| omron | sysmac_cj2h_firmware | * | |
| omron | sysmac_cj2h | - | |
| omron | sysmac_cp1e_firmware | * | |
| omron | sysmac_cp1e | - | |
| omron | sysmac_cp1h_firmware | * | |
| omron | sysmac_cp1h | - | |
| omron | sysmac_cp1l_firmware | * | |
| omron | sysmac_cp1l | - | |
| omron | cp1w-cif41_firmware | - | |
| omron | cp1w-cif41 | - | |
| omron | cx-programmer | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cs1_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0EDECA-0697-4BF1-AC39-7DAEAFA79FE5",
"versionEndExcluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cs1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6F4E42A1-A6A5-4590-A369-C3E11C55979B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cj2m_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC2E363E-0118-4CA4-BD97-6C4FE939BA3E",
"versionEndExcluding": "2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cj2m:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4EC6E3CB-486B-4C41-87D7-BF16D9B9FA74",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cj2h_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "464F762D-50B7-4BC7-87B8-C6E0CDBB05DA",
"versionEndExcluding": "1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cj2h:-:*:*:*:*:*:*:*",
"matchCriteriaId": "179BC3C6-8530-4680-8DAA-B8734C3F088A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1e_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C2FE1EA-5A52-4245-8F66-60A88F3C5E5C",
"versionEndExcluding": "1.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1e:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4A3E5CC5-3B48-4CD0-8CE0-F12AA0A8A1CA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1h_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9846BE46-9506-4434-BAA6-13A8AF687EC5",
"versionEndExcluding": "1.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1h:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1334C61E-D200-427B-833E-5FB538930F80",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAB91A7-28FD-4462-AD62-40A010D3FD33",
"versionEndExcluding": "1.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E74FC37C-0054-49E8-92CB-7BCF903D12C6",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:cp1w-cif41_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99A34BA8-7D88-4D08-A8F0-99570A397299",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:cp1w-cif41:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83911864-386F-40A2-BB2D-7E3443E3EDB8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "521DA37E-EDA1-4273-9620-88D3C6B0D801",
"versionEndExcluding": "9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext."
},
{
"lang": "es",
"value": "Los PLC de las series CS, CJ y CP de Omron versiones hasta 18-05-2022, usan contrase\u00f1as en texto sin cifrar. Disponen de un ajuste de protecci\u00f3n de UM que permite a usuarios o a integradores de sistemas configurar una contrase\u00f1a para restringir las operaciones de ingenier\u00eda confidenciales (como las cargas y descargas de proyectos/l\u00f3gicas). Esta contrase\u00f1a es establecida mediante el comando OMRON FINS Program Area Protect y es desestablecida mediante el comando Program Area Protect Clear, ambos transmitidos en texto sin cifrar."
}
],
"id": "CVE-2022-31204",
"lastModified": "2024-11-21T07:04:07.190",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-26T22:15:11.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.forescout.com/blog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.forescout.com/blog/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-26 22:15
Modified
2024-11-21 07:04
Severity ?
Summary
The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory, US Government Resource | |
| cve@mitre.org | https://www.forescout.com/blog/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.forescout.com/blog/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | sysmac_cs1_firmware | * | |
| omron | sysmac_cs1 | - | |
| omron | sysmac_cj2m_firmware | * | |
| omron | sysmac_cj2m | - | |
| omron | sysmac_cj2h_firmware | * | |
| omron | sysmac_cj2h | - | |
| omron | sysmac_cp1e_firmware | * | |
| omron | sysmac_cp1e | - | |
| omron | sysmac_cp1h_firmware | * | |
| omron | sysmac_cp1h | - | |
| omron | sysmac_cp1l_firmware | * | |
| omron | sysmac_cp1l | - | |
| omron | cp1w-cif41_firmware | - | |
| omron | cp1w-cif41 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cs1_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0EDECA-0697-4BF1-AC39-7DAEAFA79FE5",
"versionEndExcluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cs1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6F4E42A1-A6A5-4590-A369-C3E11C55979B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cj2m_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC2E363E-0118-4CA4-BD97-6C4FE939BA3E",
"versionEndExcluding": "2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cj2m:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4EC6E3CB-486B-4C41-87D7-BF16D9B9FA74",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cj2h_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "464F762D-50B7-4BC7-87B8-C6E0CDBB05DA",
"versionEndExcluding": "1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cj2h:-:*:*:*:*:*:*:*",
"matchCriteriaId": "179BC3C6-8530-4680-8DAA-B8734C3F088A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1e_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C2FE1EA-5A52-4245-8F66-60A88F3C5E5C",
"versionEndExcluding": "1.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1e:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4A3E5CC5-3B48-4CD0-8CE0-F12AA0A8A1CA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1h_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9846BE46-9506-4434-BAA6-13A8AF687EC5",
"versionEndExcluding": "1.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1h:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1334C61E-D200-427B-833E-5FB538930F80",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAB91A7-28FD-4462-AD62-40A010D3FD33",
"versionEndExcluding": "1.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E74FC37C-0054-49E8-92CB-7BCF903D12C6",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:cp1w-cif41_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99A34BA8-7D88-4D08-A8F0-99570A397299",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:cp1w-cif41:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83911864-386F-40A2-BB2D-7E3443E3EDB8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter."
},
{
"lang": "es",
"value": "Los PLC de la familia de productos SYSMAC Cx de Omron (series CS, CJ y CP) versiones hasta 18-05-2022, carecen de autenticaci\u00f3n criptogr\u00e1fica. Usan el protocolo FINS (9600/TCP) de Omron para fines de ingenier\u00eda, incluida la descarga de proyectos y l\u00f3gica de control al PLC. Este protocolo presenta fallos de autenticaci\u00f3n, como es indicado en el documento FSCT-2022-0057. La l\u00f3gica de control es descargada en la memoria vol\u00e1til del PLC Usando los comandos FINS Program Area Read y Program Area Write o en la memoria no vol\u00e1til Usando otros comandos desde donde puede ser cargado en la memoria vol\u00e1til para su ejecuci\u00f3n. La l\u00f3gica que es cargada y ejecutada desde el \u00e1rea de programa de usuario se presenta en forma de c\u00f3digo objeto compilado. Al ejecutarse, estos c\u00f3digos objeto son pasados primero a un ASIC dedicado que determina si el c\u00f3digo objeto debe ser ejecutado por el ASIC o por el microprocesador. En el primer caso, el c\u00f3digo objeto es interpretado por el ASIC, mientras que en el segundo caso el c\u00f3digo objeto es pasado al microprocesador para que sea interpretado por un int\u00e9rprete ROM. En el caso anormal en el que el c\u00f3digo objeto no puede ser manejado por ninguno de los dos, es desencadenada una condici\u00f3n anormal y el PLC es detenido. La l\u00f3gica que es descargada en el PLC no parece estar autenticada criptogr\u00e1ficamente, lo que permite a un atacante manipular el c\u00f3digo objeto transmitido al PLC y ejecutar comandos de c\u00f3digo objeto arbitrarios en el ASIC o en el int\u00e9rprete del microprocesador.\n"
}
],
"id": "CVE-2022-31207",
"lastModified": "2024-11-21T07:04:07.720",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-26T22:15:11.440",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.forescout.com/blog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.forescout.com/blog/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-26 22:15
Modified
2024-11-21 07:04
Severity ?
Summary
In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory, US Government Resource | |
| cve@mitre.org | https://www.forescout.com/blog/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.forescout.com/blog/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | sysmac_cs1_firmware | * | |
| omron | sysmac_cs1 | - | |
| omron | sysmac_cj2m_firmware | * | |
| omron | sysmac_cj2m | - | |
| omron | sysmac_cj2h_firmware | * | |
| omron | sysmac_cj2h | - | |
| omron | sysmac_cp1e_firmware | * | |
| omron | sysmac_cp1e | - | |
| omron | sysmac_cp1h_firmware | * | |
| omron | sysmac_cp1h | - | |
| omron | sysmac_cp1l_firmware | * | |
| omron | sysmac_cp1l | - | |
| omron | cp1w-cif41_firmware | - | |
| omron | cp1w-cif41 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cs1_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0EDECA-0697-4BF1-AC39-7DAEAFA79FE5",
"versionEndExcluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cs1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6F4E42A1-A6A5-4590-A369-C3E11C55979B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cj2m_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC2E363E-0118-4CA4-BD97-6C4FE939BA3E",
"versionEndExcluding": "2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cj2m:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4EC6E3CB-486B-4C41-87D7-BF16D9B9FA74",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cj2h_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "464F762D-50B7-4BC7-87B8-C6E0CDBB05DA",
"versionEndExcluding": "1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cj2h:-:*:*:*:*:*:*:*",
"matchCriteriaId": "179BC3C6-8530-4680-8DAA-B8734C3F088A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1e_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C2FE1EA-5A52-4245-8F66-60A88F3C5E5C",
"versionEndExcluding": "1.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1e:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4A3E5CC5-3B48-4CD0-8CE0-F12AA0A8A1CA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1h_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9846BE46-9506-4434-BAA6-13A8AF687EC5",
"versionEndExcluding": "1.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1h:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1334C61E-D200-427B-833E-5FB538930F80",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:sysmac_cp1l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAB91A7-28FD-4462-AD62-40A010D3FD33",
"versionEndExcluding": "1.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:sysmac_cp1l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E74FC37C-0054-49E8-92CB-7BCF903D12C6",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:cp1w-cif41_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99A34BA8-7D88-4D08-A8F0-99570A397299",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:omron:cp1w-cif41:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83911864-386F-40A2-BB2D-7E3443E3EDB8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication."
},
{
"lang": "es",
"value": "En los PLC de las series CS, CJ y CP de Omron versiones hasta 18-05-2022, la contrase\u00f1a de acceso a la Interfaz de Usuario Web es almacenada en el \u00e1rea de memoria D1449...D1452 y puede leerse mediante el protocolo FINS de Omron sin necesidad de ninguna otra autenticaci\u00f3n."
}
],
"id": "CVE-2022-31205",
"lastModified": "2024-11-21T07:04:07.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-26T22:15:11.357",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.forescout.com/blog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.forescout.com/blog/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2022-31207
Vulnerability from cvelistv5
Published
2022-07-26 21:28
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.forescout.com/blog/ | x_refsource_MISC | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.forescout.com/blog/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-26T21:28:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.forescout.com/blog/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31207",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.forescout.com/blog/",
"refsource": "MISC",
"url": "https://www.forescout.com/blog/"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31207",
"datePublished": "2022-07-26T21:28:46",
"dateReserved": "2022-05-18T00:00:00",
"dateUpdated": "2024-08-03T07:11:39.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31204
Vulnerability from cvelistv5
Published
2022-07-26 21:28
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.forescout.com/blog/ | x_refsource_MISC | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.forescout.com/blog/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-26T21:28:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.forescout.com/blog/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.forescout.com/blog/",
"refsource": "MISC",
"url": "https://www.forescout.com/blog/"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31204",
"datePublished": "2022-07-26T21:28:29",
"dateReserved": "2022-05-18T00:00:00",
"dateUpdated": "2024-08-03T07:11:39.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31205
Vulnerability from cvelistv5
Published
2022-07-26 21:28
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.forescout.com/blog/ | x_refsource_MISC | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.forescout.com/blog/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-26T21:28:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.forescout.com/blog/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31205",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.forescout.com/blog/",
"refsource": "MISC",
"url": "https://www.forescout.com/blog/"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31205",
"datePublished": "2022-07-26T21:28:41",
"dateReserved": "2022-05-18T00:00:00",
"dateUpdated": "2024-08-03T07:11:39.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}