JVNVU#95852116
OMRON NJ/NX series vulnerable to path traversal
Overview
OMRON NJ/NX series contain a path traversal vulnerability.
Products Affected
- Machine Automation Controller NJ Series
- NJ101-[][][][] Ver.1.64.03 and earlier
- NJ301-[][][][] Ver.1.64.00 and earlier
- NJ501-1[]0[] Ver.1.64.03 and earlier
- NJ501-1[]2[] Ver.1.64.00 and earlier
- NJ501-1340 Ver.1.64.00 and earlier
- NJ501-4[][][] Ver.1.64.00 and earlier
- NJ501-5300 Ver.1.64.00 and earlier
- NJ501-R[][][] Ver.1.64.00 and earlier
- Machine Automation Controller NX Series
- NX1P2-[][][][][][] Ver.1.64.00 and earlier
- NX1P2-[][][][][][]1 Ver.1.64.00 and earlier
- NX102-[][][][] Ver.1.64.00 and earlier
- NX502-[][][][] Ver.1.65.01 and earlier
- NX701-[][][][] Ver.1.35.00 and earlier
- NX-EIP201 Ver.1.00.01 and earlier
Description
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).
Impact
An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.
Solution
The developer states that the updates that contain a fix for this vulnerability are scheduled to be released in April 2024.
Apply the workarounds
The developer recommends that users apply the following workarounds to mitigate the impact of this vulnerability.
- Use "Secure Communication Function" which is implemented in the following products/versions
- NJ series, NX102, NX1P2 CPU Unit Ver.1.49 and later
- NX701 CPU Unit Ver.1.29 and later
- NX502 CPU Unit Ver.1.60 and later
- NX-EIP201 Ver.1.00 and later
- Restrict access from the untrusted devices and only allow limited network accesses
- Isolate from IT network by placing firewall (block the unused communication ports, restrict communication hosts, etc.)
- Use Virtual Private Network (VPN)
Vendor Status
Vendor | Link |
OMRON Corporation | Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2024-27121 |
JVN iPedia |
|