Published:2024/05/27 Last Updated:2024/05/27
JVNVU#92504444
OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
Overview
OMRON NJ/NX series contain an issue with insufficient verification of data authenticity.
Products Affected
- Machine Automation Controller NJ Series CPU Unit all versions
- Machine Automation Controller NX Series CPU Unit all versions
Description
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity (CWE-345).
Impact
If a user program in the affected product is altered, the product may not be able to detect the alteration.
Solution
Use "User Program Transfer with No Restoration Information" (*1)
(*1)See the following manual provided by the developer for "User Program Transfer with No Restoration Information"
- NJ/NX-series CPU unit Software User’s Manual (W501)
The developer recommends users should apply the following mitigations or workaround.
- Restrict access from untrusted network devices
- Isolate the product from IT network by using firewall (such as closing unused communication ports, restricting communication hosts, etc.)
Vendor Status
| Vendor | Link |
| OMRON Corporation | Insufficient Verification of Data Authenticity vulnerability in NJ/NX-series Machine Automation Controllers |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-33687 |
| JVN iPedia |
|