Published:2022/11/25  Last Updated:2023/01/11

JVNVU#92877622
Multiple vulnerabilities in OMRON CX-Programmer

Overview

OMRON CX-Programmer contains multiple vulnerabilities.

Products Affected

CVE-2022-43508

  • CX-Programmer Ver.9.77 and earlier
CVE-2022-43509, CVE-2022-43667
  • CX-Programmer Ver.9.78 and earlier
CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
  • CX-Programmer Ver.9.79 and earlier

Description

CX-Programmer provided by Omron Corporation contains multiple vulnerabilities listed below.

  • Use-after-free (CWE-416) - CVE-2022-43508, CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
    CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • Out-of-bounds Write (CWE-787) - CVE-2022-43509
    CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • Stack-based Buffer Overflow (CWE-121) - CVE-2022-43667
    CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8

Impact

By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.

Solution

Update the Software
Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions.
The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
OMRON Corporation Vulnerable 2022/12/22

References

  1. ICS Advisory (ICSA-22-356-04)
    Omron CX-Programmer

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-43509
CVE-2022-43667
CVE-2023-22277
CVE-2023-22317
CVE-2023-22314
CVE-2022-43508
JVN iPedia

Update History

2022/12/15
Information under the section [Products Affected] and [Solution] was updated
2023/01/11
Information under the section [Products Affected], [Description], [References], and [Other Information] was updated, and OMRON Corporation updated its status