Published:2024/04/22  Last Updated:2024/04/22

JVNVU#98274902
Multiple vulnerabilities in OMRON Sysmac Studio/CX-One and CX-Programmer

Overview

OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities.

Products Affected

CVE-2024-31412

  • CX-Programmer
    • Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower
CVE-2024-31413
  • CX-One CX-One CXONE-AL[][]D-V4
    • The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior
  • Sysmac Studio SYSMAC-SE2[][][]
    • The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior
For more information, refer to the information provided by the developer.

Description

OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities listed below.

  • Out-of-bounds read (CWE-125)
    • CVE-2024-31412
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
  • Free of pointer not at start of buffer (CWE-761)
    • CVE-2024-31413
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8

Impact

  • Opening a specially crafted project file may lead to information disclosure and/or the product being crashed (CVE-2024-31412)
  • Opening a specially crafted project file may lead to arbitrary code execution (CVE-2024-31413)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Regarding the details of how to obtain the update or how to update the firmware, contact the developer and/or the sales representatives.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-31412
CVE-2024-31413
JVN iPedia