JVNVU#98274902
Multiple vulnerabilities in OMRON Sysmac Studio/CX-One and CX-Programmer

Overview

OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities.

Products Affected

CVE-2024-31412

• CX-Programmer
  • Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower

• CX-One CX-One CXONE-AL[][]D-V4
  • The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior
• Sysmac Studio SYSMAC-SE2[][][]
  • The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior

Description

OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities listed below.

• Out-of-bounds read (CWE-125)
  • CVE-2024-31412
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
• Free of pointer not at start of buffer (CWE-761)
  • CVE-2024-31413
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8

Impact

• Opening a specially crafted project file may lead to information disclosure and/or the product being crashed (CVE-2024-31412)
• Opening a specially crafted project file may lead to arbitrary code execution (CVE-2024-31413)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Regarding the details of how to obtain the update or how to update the firmware, contact the developer and/or the sales representatives.