JVN#08342147
WindLDR and WindO/I-NV4 store sensitive information in cleartext
Overview
WindLDR and WindO/I-NV4 provided by IDEC Corporation store sensitive information in cleartext form.
Products Affected
- WindLDR Ver.9.1.0 and earlier
- WindO/I-NV4 Ver.3.0.1 and earlier
Description
PLC programming software "WindLDR" and Operator Interfaces' Touchscreen Programming Software "WindO/I-NV4" provided by IDEC Corporation store sensitive information in cleartext form (CWE-312).
Impact
An attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
Solution
Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:
- WindLDR Ver.9.2.0
- WindO/I-NV4 Ver.3.1.0
Vendor Status
| Vendor | Link |
| IDEC Corporation | WindLDR and WindO/I-NV4 store sensitive information in cleartext (PDF) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
Confidentiality(C) impact is accessed as primary, and Integrity(I) and Availability(A) impacts are assessed as secondary.
Credit
Yuki Meguro of Toinx Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-41716 |
| JVN iPedia |
JVNDB-2024-000089 |