| Developers: | Omron Electronics |
| Last Release Date: | 2023/02/06 |
| Technology: | APCS |
Main article: APCS - typical structure
2023: Fix a vulnerability that allows you to read and change an arbitrary area of the controller's memory
Positive Technologies on February 6, 2023 announced that it had helped fix a vulnerability in OMRON controllers.
PLCs can control a large range of equipment - from machines to piping systems
The closed vulnerability CVE-2023-22357 received a score of 9.1 on the CVSS v3 scale, which means a critical level of danger. Its operation made it possible to read and change an arbitrary area of the controller's memory without authentication. Such manipulations could lead to firmware overwriting, denial of service, or arbitrary code execution. The manufacturer was notified of the threat as part of a responsible disclosure policy and eliminated the vulnerability in the latest firmware.
OMRON CP1L series controllers are used to control compact machines as well as quickly build automation systems. PLCs are used, for example, for the control of conveyors and machines, telemechanics of pipeline units at the state district power station, microclimate on farms, product quality control systems, automatic packaging machines and other areas.
A vulnerability in the OMRON CP1L-EL20DR-D controller was discovered by Positive Technologies expert Georgy Kiguradze. The error is due to undocumented commands in the FINS communication protocol [3]. These commands are used to debug the PLC software [4].
 | In the case of targeted cyber attacks exploitation of this vulnerability, it would lead to a shutdown of the technological process or equipment failure. Using proprietary or proprietary ON and shortcomings in the FINS protocol, attackers could negatively affect the operation of the equipment: make changes to the running ones, algorithms load harmful firmware, change the values of variables, force invalid values at the outputs of modules bypassing blocking algorithms, - said Vladimir Nazarov, head of the security department of industrial control systems Positive Technologies. - To analyze the security of production systems and check the feasibility of unacceptable events, it is necessary to use cyber training. Such activities allow you to find out what an attack in a similar infrastructure can lead to in order to develop protection measures and response scenarios. |  |
To eliminate the vulnerability, the controller manufacturer recommends updating the device firmware and enabling advanced password protection (Extend protection password function).
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |