Omron Addresses PLC and Engineering Software Vulnerabilities Uncovered During ICS Malware Investigation

September 21, 2023

Japanese electronics corporation Omron has recently rectified vulnerabilities in its programmable logic controller (PLC) and engineering software. These vulnerabilities were uncovered by industrial cybersecurity company Dragos during an investigation of an advanced malware.

Last year, the U.S. cybersecurity agency, CISA, alerted organizations about three vulnerabilities impacting Omron NJ and NX-series controllers. Dragos revealed that one of these vulnerabilities, a critical hardcoded credentials issue (CVE-2022-34151), had been exploited by the industrial control system (ICS) attack framework known as Pipedream and Incontroller. Pipedream is speculated to be the creation of a state-sponsored threat group, possibly associated with Russia.

Dragos identified last year that one of Pipedream’s components, dubbed BadOmen, had leveraged CVE-2022-34151 to interact with an HTTP server on targeted Omron NX/NJ controllers. BadOmen holds the ability to manipulate and cause disruption to physical processes.

During its analysis of the BadOmen malware, Dragos detected more vulnerabilities impacting Omron products. In response, CISA and the vendor have now issued advisories to inform organizations about these new flaws and the availability of patches.

While these security vulnerabilities were found during the analysis of the BadOmen malware, Reid Wightman, lead vulnerability analyst at Dragos, stated that they were not exploited by malware and there is no evidence of them being exploited in the wild. The vulnerabilities were discovered while examining Omron equipment and associated software.

CISA and Omron have each released three separate advisories. One of them details CVE-2022-45790, a high-severity vulnerability in Omron CJ/CS/CP series PLCs that use the FINS protocol, susceptible to brute-force attacks. The other advisories describe medium-severity flaws impacting Omron Engineering software: CVE-2022-45793, a weakness in Sysmac Studio that can be leveraged to alter files and execute arbitrary code; and CVE-2018-100220, a Sysmac Studio and NX-IO Configurator Zip-Slip bug that can be exploited to write arbitrary files using specially crafted ZIP archives.

Two of the vulnerabilities have been assigned 2022 CVEs as they were reported to Omron last year. “Sometimes vulnerabilities can take a while to fully address,” Wightman explained. The flaw with the 2018 CVE impacts a third-party component utilized in Omron products. Researcher Michael Heinzl has also been acknowledged by Omron for reporting this vulnerability. Heinzl has previously identified several high-severity remote code execution vulnerabilities in Omron’s CX-Programmer software.

Latest News

• VenomRAT Malware Disguised as WinRAR Exploit on GitHub
• Qatar's Cybersecurity Agency Raises Alarm on Mozilla's RCE Vulnerabilities
• GitLab Issues Critical Security Updates for Pipeline Vulnerability
• Trend Micro Fixes Zero-Day Vulnerability Under Attack in Endpoint Security Products
• Earth Lusca's Advanced SprySOCKS Linux Backdoor Targets Global Government Entities