Published:2024/08/30 Last Updated:2025/07/02
JVNVU#96959731
Multiple vulnerabilities in IDEC products
Overview
IDEC products contain multiple vulnerabilities.
Products Affected
CVE-2024-41927
- FC6A Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
- FC6B Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
- FC6A Series MICROSmart Plus CPU module Ver.2.40 and earlier
- FC6B Series MICROSmart Plus CPU module Ver.2.60 and earlier
- FT1A Series SmartAXIS Pro/Lite Ver.2.41 and earlier
- FC6A Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
- FC6B Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
- FC6A Series MICROSmart Plus CPU module Ver.2.40 and earlier
- FC6B Series MICROSmart Plus CPU module Ver.2.60 and earlier
- SX8R Bus Coupler Module Ver.2.1.0 and earlier
Description
Multiple products provided by IDEC Corporation contain multiple vulnerabilities listed below.
- Cleartext transmission of sensitive information(CWE-319)
- CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 4.6
- CVE-2024-41927
- Generation of predictable identifiers(CWE-340)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score 5.3
- CVE-2024-28957
- This vulnerability comes from Cente middleware used in IDEC products
Impact
- If an attacker sends a specific command to PLC's serial communication port, the user's authentication information may be obtained. As a result, the program of the PLC may be obtained, and the PLC may be operated unexpectedly (CVE-2024-41927)
- An unauthenticated attacker may interfere communications by predicting some packet header IDs of the products (CVE-2024-28957)
Solution
Update the System Software
Update the System Software to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerabilities.
- FC6A Series MICROSmart All-in-One CPU module Ver.2.70
- FC6B Series MICROSmart All-in-One CPU module Ver.2.70
- FC6A Series MICROSmart Plus CPU module Ver.2.50
- FC6B Series MICROSmart Plus CPU module Ver.2.70
- FT1A Series SmartAXIS Pro/Lite Ver.2.50
- SX8R Bus Coupler Module Ver.2.2.0
Vendor Status
Vendor | Link |
IDEC Corporation | Vulnerabilities regarding plaintext transmission of sensitive information and predictable ID usage (PDF) |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
IDEC Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2024-41927 |
CVE-2024-28957 |
|
JVN iPedia |
|
Update History
- 2024/09/20
- Information under the section [References] was updated
- 2025/07/02
- Information under the section [Title], [Overview], [Products Affected], [Description], [Solution], and [Vendor Status] was updated