Headline
CVE-2023-22314: Multiple vulnerabilities in OMRON CX-Programmer
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22317.
Published:2022/11/25 Last Updated:2023/01/11
Overview
OMRON CX-Programmer contains multiple vulnerabilities.
Products Affected
CVE-2022-43508
- CX-Programmer Ver.9.77 and earlier
CVE-2022-43509, CVE-2022-43667
- CX-Programmer Ver.9.78 and earlier
CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
- CX-Programmer Ver.9.79 and earlier
Description
CX-Programmer provided by Omron Corporation contains multiple vulnerabilities listed below.
Use-after-free (CWE-416) - CVE-2022-43508, CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
CVSS v3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Out-of-bounds Write (CWE-787) - CVE-2022-43509
CVSS v3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Stack-based Buffer Overflow (CWE-121) - CVE-2022-43667
CVSS v3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Impact
By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
Solution
Update the Software
Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions.
The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update.
For more information, refer to the information provided by the developer.
Vendor Status
Vendor
Status
Last Update
Vendor Notes
OMRON Corporation
Vulnerable
2022/12/22
References
- ICS Advisory (ICSA-22-356-04)
Omron CX-Programmer
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
Update History
2022/12/15
Information under the section [Products Affected] and [Solution] was updated
2023/01/11
Information under the section [Products Affected], [Description], [References], and [Other Information] was updated, and OMRON Corporation updated its status
Related news
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22314.
Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.
Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.
Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.