JVNTA#91513661: Security Issues in FINS protocol

Overview

FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. Recent security researches show multiple issues against systems speaking FINS protocol.

Products Affected

Omron products which implement FINS protocol include:

SYSMAC CS-series CPU Units, all versions
SYSMAC CJ-series CPU Units, all versions
SYSMAC CP-series CPU Units, all versions
SYSMAC NJ-series CPU Units, all versions
SYSMAC NX1P-series CPU Units, all versions
SYSMAC NX102-series CPU Units, all versions
SYSMAC NX7 Database Connection CPU Units, all versions

Description

FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the configuration on FINS-compliant devices. The supported FINS commands vary depending on the products.

I/O memory area read/write
Parameter area read/write
Program area read/write
Manage operation mode
System configuration read
CPU unit status read
Time information access
Message read/delete
Manage access privileges
Read fault history report, etc.
File operation
Forced set/reset

FINS message consists of "FINS header", "FINS command code" and "parameter". When receiving a FINS command message, the entity conducts the operation corresponding to the "FINS command code", and sends the result as a response message to the destinations listed in "FINS header" of the command message. FINS protocol is designed with the assumptions that the network is closed inside the device, the production lines, or within the factory, and does not provide any encryption, data verification, nor authentication functions. Recent security researches show multiple issues on FINS protocol, under the conditions which FINS protocol does not consider, e.g., a FINS network is connected to other outside networks, FINS network can be physically accessed, etc. The following issues on FINS protocol have been reported:

1. Plaintext communication

Encrypted communication is not defined in FINS protocol. FINS messages are transmitted unencrypted and the contents can be seen easily when intercepted. Also alterations of FINS messages cannot be detected.

Clear-text Transmission of Sensitive Information（CWE-319）
Insufficient Verification of Data Authenticity（CWE-345）

2. No authentication required

Authentication is not defined in FINS protocol. Attacks from malicious devices cannot be detected.

Authentication Bypass by Spoofing (CWE-290)
Authentication Bypass by Capture-replay (CWE-294)
Missing Authentication for Critical Function (CWE-306)
Insufficient Verification of Data Authenticity（CWE-345）
Uncontrolled Resource Consumption (CWE-400)
Unrestricted Externally Accessible Lock(CWE-412)
Improper Control of Interaction Frequency (CWE-799)

Impact

When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device.

Solution

According to the developer, no revision of FINS protocol is planned. Users of the FINS products should consider the issues described in
Description and Impact, and use the products in an appropriately protected environment. To minimize the risks, the vendor recommends the following:

1. Do not use FINS (Disable FINS)

In FA networks where FINS is not used, disable FINS functionality. The following products allow to disable FINS:

SYSMAC NJ-series CPU Units (Ver.1.49 or later)
SYSMAC NX1P-series CPU Units (Ver.1.49 or later)
SYSMAC NX102-series CPU Units (Ver.1.49 or later)
SYSMAC NX7 Database Connection CPU Units (Ver.1.29 or later)

2.Illegal access prevention

Restrict the access source IP address
Restrict unauthorized network access
Enable FINS write protection function
Restrict the write permission by using PLC protection password
Prohibit PLC program changes by using the hardware DIP switch on PLC

Additional recommendations:

Minimize the network access of control systems or devices, and restrict access from an untrusted device
Separate from IT networks by using Firewall (Shut down unused ports, restrict communication hosts and restrict access to FINS port(9600))
Use Virtual Private Network (VPN) when remote accessing to control systems or devices
Use strong passwords and change them frequently
Incorporate a physical security control which allows only authorized users to access control systems and devices
Virus scan when using external storage device such as USB memory sticks on control systems or devices
Incorporate multi-factor authentication for remote accessing the control systems or devices

3. Antivirus protection

Incorporate and maintain latest and commercial grade antivirus software

4. Data input/output protection

Validation of backups, range checks, etc. as a preparation for unintended alteration of input/output data of control systems or devices

5. Restoration of lost data

Frequent backups of the configuration data as a countermeasure for data loss

The developer states that the issues caused from FINS protocol will be treated as CVE-2023-27396.

Vendor Status

Vendor	Link
OMRON Corporation	About Known Issues in the FINS Protocol Implemented in Omron Products

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

This document is written by Omron and JPCERT/CC.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2023-27396
JVN iPedia

Update History

2023/09/19: Information under the section "Products Affected" was updated.

JVNTA#91513661 Security Issues in FINS protocol