Published:2021/12/24  Last Updated:2022/01/07

JVNVU#92279973
Multiple vulnerabilities in IDEC PLCs

Overview

IDEC PLCs (Programmable Logic Controller) contain multiple vulnerabilities.

Products Affected

  • CVE-2021-37400, CVE-2021-37401
    • FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier
    • FC6B Series MICROSmart All-in-One CPU module v2.31 and earlier
    • FC6A Series MICROSmart Plus CPU module v1.91 and earlier
    • FC6B Series MICROSmart Plus CPU module v2.31 and earlier
    • FT1A Series SmartAxix Pro/Lite v2.31 and earlier
    • WindLDR v8.19.1 and earlier
    • WindEDIT v1.3.1 and earlier
    • Data File Manager v2.12.1 and earlier
  • CVE-2021-20826, CVE-2021-20827
    • FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier
    • FC6A Series MICROSmart Plus CPU module v1.91 and earlier
    • WindLDR v8.19.1 and earlier
    • WindEDIT Lite v1.3.1 and earlier
    • Data File Manager v2.12.1 and earlier
For more information, refer to the information provided by the developer.

Description

Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.

  • Unprotected transport of credentials (CWE-523) - CVE-2021-37400
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
  • Plaintext storage of a password (CWE-256) - CVE-2021-37401
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
  • Unprotected transport of credentials (CWE-523) - CVE-2021-20826
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
  • Plaintext storage of a password (CWE-256) - CVE-2021-20827
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6

Impact

  • An attacker may obtain the user credentials from the communication between the PLC and the software.  As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37400
  • An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards.  As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37401
  • An attacker may obtain the PLC Web server user credentials from the communication between the PLC and the software.  As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted. -  CVE-2021-20826
  • An attacker may obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards.  As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted. - CVE-2021-20827

Solution

Update the software
Apply the appropriate software update according to the information provided by the developer.

  • FC6A Series MICROSmart All-in-One CPU module v2.40 and later
  • FC6B Series MICROSmart All-in-One CPU module v2.40 and later
  • FC6A Series MICROSmart Plus CPU module v2.00 and later
  • FC6B Series MICROSmart Plus CPU module v2.40 and later
  • FT1A Series SmartAxix Pro/Lite v2.40 and later
  • WindLDR v8.20.0 and later
  • WindEDIT Lite v1.4.0 and later
  • Data File Manager v2.13.0 and later
Apply workarounds
Applying the below workarounds may mitigate the impacts of these vulnerabilities.
  • Restrict network appropriately to prevent the suspicious connection from untrusted devices
  • Restrict the devices which can access PLCs
  • Manage ZLD files appropriately
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
IDEC Corporation Vulnerability notification for IDEC PLC (Text in Japanese)

References

  1. ICS Advisory (ICSA-22-006-03)
    IDEC PLCs

JPCERT/CC Addendum

CVE-2021-37400 and CVE-2021-37401 were assigned by MITRE as Khalid Ansari reported/requested to MITRE.
CVE-2021-20826 and CVE-2021-20827 were assigned by JPCERT/CC as Khalid Ansari reported/requested to JPCERT/CC.
CVE IDs listed under [Other Information] section in JVN advisory are limited to the ones which JPCERT/CC as a CNA assigns.  This operational change was made in April 9, 2021.  For more information, refer to "The content of ”Instructions" is updated (2021-04-16)".

Vulnerability Analysis by JPCERT/CC

Credit

Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported
the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20826
CVE-2021-20827
JVN iPedia

Update History

2022/01/07
Information under the section [References] was updated with ICS Advisory.