Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: HIGH

Software Affected

NX7-series Machine Automation Controller versions prior to 1.28 (All Models)

NX1-series Machine Automation Controller versions prior to 1.48 (All Models)

NJ-series Machine Automation Controller versions prior to 1.48 (All Models)

Automation Software Sysmac Studio versions prior to 1.49 (All Models)

NA-series Programable Terminal Runtime versions prior to 1.15 (NA5-15W, NA5-12W, NA5-9W, NA5-7W)

Overview

Multiple vulnerabilities have been reported in Omron NJ/NX series Machine Automation Controllers products which could allow the attacker to bypass authentication, perform unauthorized access, execute arbitrary code, and cause a denial of service (DoS) condition on the targeted system.

Description

These vulnerabilities exist in Omron NJ/NX series Machine Automation Controllers products due to hard-coded credentials, authentication bypass by capture-replay, and active debug code vulnerabilities. An attacker could exploit these vulnerabilities by analyzing the communication between the controller and the specific software used by Omron internally.

Successful exploitation of these vulnerabilities could allow the attacker to bypass authentication, perform unauthorized access, execute arbitrary code, and cause a denial of service (DoS) condition on the targeted system.

Note: It has been reported that vulnerabilities are being exploited.

Solution

Apply appropriate software updates as mentioned in the Omron Security updates.

Vendor Information

Omron

References

 

CVE Name

CVE-2022-33208

CVE-2022-33971

CVE-2022-34151