Headline
CVE-2023-22357: Active debug code vulnerability in OMRON CP1L-EL20DR-D
Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.
Published:2023/01/11 Last Updated:2023/01/11
Overview
OMRON CP1L-EL20DR-D contains a vulnerability where active debug code is available.
Products Affected
- Programmable Logic Controller (PLC) CP1L Series
- CP1L-EL20DR-D all versions
To check the product names and versions, refer to the manual "CP Series CP1L-EL/EM CPU Unit User’s Manual (SBCA-406)" provided by the developer.
Description
Active debug code (CWE-489) exists in CP1L-EL20DR-D provided by OMRON Corporation, which may lead to a command that is not specified in FINS protocol being executed without authentication.
Impact
A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.
Solution
Update the product and enable ”Extend protection password” function
Update the product to the below product/version where UM read protection and task read protection are implemented, and enable “Extend protection password” function.
- The programmable controller (PLC) CP1L Series Ver.1.1 or later
- CX-Programmer Ver.9.6 or later
For more information, refer to the information provided by the developer under [Vendor Status] section’s [Status (Vulnerable)] page.
Apply Workarounds
Applying the workarounds may mitigate the impacts of this vulnerability.
For more information, refer to the information provided by the developer under [Vendor Status] section’s [Status (Vulnerable)] page.
Vendor Status
Vendor
Status
Last Update
Vendor Notes
OMRON Corporation
Vulnerable
2023/01/11
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector(AV)
Physical §
Local (L)
Adjacent (A)
Network (N)
Attack Complexity(AC)
High (H)
Low (L)
Privileges Required(PR)
High (H)
Low (L)
None (N)
User Interaction(UI)
Required ®
None (N)
Scope(S)
Unchanged (U)
Changed ©
Confidentiality Impact©
None (N)
Low (L)
High (H)
Integrity Impact(I)
None (N)
Low (L)
High (H)
Availability Impact(A)
None (N)
Low (L)
High (H)
Credit
Georgy Kiguradze of Positive Technologies reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
CVE-2023-22357
JVN iPedia