Published:2021/12/24  Last Updated:2022/01/07

JVNVU#92279973
Multiple vulnerabilities in IDEC PLCs

Overview

IDEC PLCs (Programmable Logic Controller) contain multiple vulnerabilities.

Products Affected

  • CVE-2021-37400, CVE-2021-37401
    • FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier
    • FC6B Series MICROSmart All-in-One CPU module v2.31 and earlier
    • FC6A Series MICROSmart Plus CPU module v1.91 and earlier
    • FC6B Series MICROSmart Plus CPU module v2.31 and earlier
    • FT1A Series SmartAxix Pro/Lite v2.31 and earlier
    • WindLDR v8.19.1 and earlier
    • WindEDIT v1.3.1 and earlier
    • Data File Manager v2.12.1 and earlier
  • CVE-2021-20826, CVE-2021-20827
    • FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier
    • FC6A Series MICROSmart Plus CPU module v1.91 and earlier
    • WindLDR v8.19.1 and earlier
    • WindEDIT Lite v1.3.1 and earlier
    • Data File Manager v2.12.1 and earlier
For more information, refer to the information provided by the developer.

Description

Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.

  • Unprotected transport of credentials (CWE-523) - CVE-2021-37400
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
  • Plaintext storage of a password (CWE-256) - CVE-2021-37401
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
  • Unprotected transport of credentials (CWE-523) - CVE-2021-20826
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
  • Plaintext storage of a password (CWE-256) - CVE-2021-20827
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6

Impact

  • An attacker may obtain the user credentials from the communication between the PLC and the software.  As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37400
  • An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards.  As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37401
  • An attacker may obtain the PLC Web server user credentials from the communication between the PLC and the software.  As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted. -  CVE-2021-20826
  • An attacker may obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards.  As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted. - CVE-2021-20827

Solution

Update the software
Apply the appropriate software update according to the information provided by the developer.

  • FC6A Series MICROSmart All-in-One CPU module v2.40 and later
  • FC6B Series MICROSmart All-in-One CPU module v2.40 and later
  • FC6A Series MICROSmart Plus CPU module v2.00 and later
  • FC6B Series MICROSmart Plus CPU module v2.40 and later
  • FT1A Series SmartAxix Pro/Lite v2.40 and later
  • WindLDR v8.20.0 and later
  • WindEDIT Lite v1.4.0 and later
  • Data File Manager v2.13.0 and later
Apply workarounds
Applying the below workarounds may mitigate the impacts of these vulnerabilities.
  • Restrict network appropriately to prevent the suspicious connection from untrusted devices
  • Restrict the devices which can access PLCs
  • Manage ZLD files appropriately
For more information, refer to the information provided by the developer.

Vendor Status

References

  1. ICS Advisory (ICSA-22-006-03)
    IDEC PLCs

JPCERT/CC Addendum

CVE-2021-37400 and CVE-2021-37401 were assigned by MITRE as Khalid Ansari reported/requested to MITRE.
CVE-2021-20826 and CVE-2021-20827 were assigned by JPCERT/CC as Khalid Ansari reported/requested to JPCERT/CC.
CVE IDs listed under [Other Information] section in JVN advisory are limited to the ones which JPCERT/CC as a CNA assigns.  This operational change was made in April 9, 2021.  For more information, refer to "The content of ”Instructions" is updated (2021-04-16)".

Vulnerability Analysis by JPCERT/CC

Credit

Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported
the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20826
CVE-2021-20827
JVN iPedia

Update History

2022/01/07
Information under the section [References] was updated with ICS Advisory.