Published:2024/08/30  Last Updated:2025/07/02

JVNVU#96959731
Multiple vulnerabilities in IDEC products

Overview

IDEC products contain multiple vulnerabilities.

Products Affected

CVE-2024-41927

  • FC6A Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
  • FC6B Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
  • FC6A Series MICROSmart Plus CPU module Ver.2.40 and earlier
  • FC6B Series MICROSmart Plus CPU module Ver.2.60 and earlier
  • FT1A Series SmartAXIS Pro/Lite Ver.2.41 and earlier
CVE-2024-28957
  • FC6A Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
  • FC6B Series MICROSmart All-in-One CPU module Ver.2.60 and earlier
  • FC6A Series MICROSmart Plus CPU module Ver.2.40 and earlier
  • FC6B Series MICROSmart Plus CPU module Ver.2.60 and earlier
  • SX8R Bus Coupler Module Ver.2.1.0 and earlier

Description

Multiple products provided by IDEC Corporation contain multiple vulnerabilities listed below.

  • Cleartext transmission of sensitive information(CWE-319
    • CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 4.6
    • CVE-2024-41927
  • Generation of predictable identifiers(CWE-340
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score 5.3
    • CVE-2024-28957
    • This vulnerability comes from Cente middleware used in IDEC products

Impact

  • If an attacker sends a specific command to PLC's serial communication port, the user's authentication information may be obtained. As a result, the program of the PLC may be obtained, and the PLC may be operated unexpectedly (CVE-2024-41927)
  • An unauthenticated attacker may interfere communications by predicting some packet header IDs of the products (CVE-2024-28957)

Solution

Update the System Software
Update the System Software to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerabilities.

  • FC6A Series MICROSmart All-in-One CPU module Ver.2.70
  • FC6B Series MICROSmart All-in-One CPU module Ver.2.70
  • FC6A Series MICROSmart Plus CPU module Ver.2.50
  • FC6B Series MICROSmart Plus CPU module Ver.2.70
  • FT1A Series SmartAXIS Pro/Lite Ver.2.50
  • SX8R Bus Coupler Module Ver.2.2.0

Vendor Status

Vendor Link
IDEC Corporation Vulnerabilities regarding plaintext transmission of sensitive information and predictable ID usage (PDF)

References

  1. ICS Advisory | ICSA-24-263-02
    IDEC PLCs

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

IDEC Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-41927
CVE-2024-28957
JVN iPedia

Update History

2024/09/20
Information under the section [References] was updated
2025/07/02
Information under the section [Title], [Overview], [Products Affected], [Description], [Solution], and [Vendor Status] was updated