Published:2023/01/11  Last Updated:2023/01/11

JVNVU#97575890
Active debug code vulnerability in OMRON CP1L-EL20DR-D

Overview

OMRON CP1L-EL20DR-D contains a vulnerability where active debug code is available.

Products Affected

  • Programmable Logic Controller (PLC) CP1L Series
    • CP1L-EL20DR-D all versions
To check the product names and versions, refer to the manual "CP Series CP1L-EL/EM CPU Unit User's Manual (SBCA-406)" provided by the developer.

Description

Active debug code (CWE-489) exists in CP1L-EL20DR-D provided by OMRON Corporation, which may lead to a command that is not specified in FINS protocol being executed without authentication.

Impact

A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.

Solution

Update the product and enable ”Extend protection password” function
Update the product to the below product/version where UM read protection and task read protection are implemented, and enable “Extend protection password” function.

  • The programmable controller (PLC) CP1L Series Ver.1.1 or later
  • CX-Programmer Ver.9.6 or later

For more information, refer to the information provided by the developer under [Vendor Status] section's [Status (Vulnerable)] page.

Apply Workarounds
Applying the workarounds may mitigate the impacts of this vulnerability.
For more information, refer to the information provided by the developer under [Vendor Status] section's [Status (Vulnerable)] page.

Vendor Status

Vendor Status Last Update Vendor Notes
OMRON Corporation Vulnerable 2023/01/11

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Base Score: 9.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Georgy Kiguradze of Positive Technologies reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-22357
JVN iPedia