Published:2023/04/24 Last Updated:2023/08/01
JVNVU#97372625
Heap-based buffer overflow vulnerability in OMRON CX-Drive
Overview
OMRON CX-Drive contains a heap-based buffer overflow vulnerability.
Products Affected
- CX-Drive All models all versions
Description
CX-Drive provided by OMRON Corporation contains a heap-based buffer overflow vulnerability (CWE-122, CVE-2023-27385).
Impact
By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed.
Solution
Apply Workarounds
Applying the workarounds may mitigate the impacts of this vulnerability.
For the details of the workarounds, refer to the information provided by the developer under [Vendor Status] section.
Vendor Status
| Vendor | Link |
| OMRON Corporation | Support tool CX-Drive for inverter/servo heap-based buffer overflow vulnerability |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score:
7.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-27385 |
| JVN iPedia |
|
Update History
- 2023/08/01
- Information under [Products Affected] was updated