JVNVU#95852116
OMRON NJ/NX series vulnerable to path traversal

Overview

OMRON NJ/NX series contain a path traversal vulnerability.

Products Affected

• Machine Automation Controller NJ Series
  • NJ101-[][][][] Ver.1.64.03 and earlier
  • NJ301-[][][][] Ver.1.64.00 and earlier
  • NJ501-1[]0[] Ver.1.64.03 and earlier
  • NJ501-1[]2[] Ver.1.64.00 and earlier
  • NJ501-1340 Ver.1.64.00 and earlier
  • NJ501-4[][][] Ver.1.64.00 and earlier
  • NJ501-5300 Ver.1.64.00 and earlier
  • NJ501-R[][][] Ver.1.64.00 and earlier
• Machine Automation Controller NX Series
  • NX1P2-[][][][][][] Ver.1.64.00 and earlier
  • NX1P2-[][][][][][]1 Ver.1.64.00 and earlier
  • NX102-[][][][] Ver.1.64.00 and earlier
  • NX502-[][][][] Ver.1.65.01 and earlier
  • NX701-[][][][] Ver.1.35.00 and earlier
  • NX-EIP201 Ver.1.00.01 and earlier

Description

Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).

Impact

An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.

Solution

The developer states that the updates that contain a fix for this vulnerability are scheduled to be released in April 2024.

Apply the workarounds
The developer recommends that users apply the following workarounds to mitigate the impact of this vulnerability.

• Use "Secure Communication Function" which is implemented in the following products/versions
  • NJ series, NX102, NX1P2 CPU Unit Ver.1.49 and later
  • NX701 CPU Unit Ver.1.29 and later
  • NX502 CPU Unit Ver.1.60 and later
  • NX-EIP201 Ver.1.00 and later
• Restrict access from the untrusted devices and only allow limited network accesses
• Isolate from IT network by placing firewall (block the unused communication ports, restrict communication hosts, etc.)
• Use Virtual Private Network (VPN)