Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for cj2h-cpu68_firmware by omron

    CVE-2022-45790 (GCVE-0-2022-45790)

    Vulnerability from nvd – Published: 2024-01-22 17:22 – Updated: 2024-11-13 16:53
    VLAI
    Title
    Omron FINS memory protection susceptible to bruteforce
    Summary
    The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    Omron CJ-series and CS-series CPU modules Affected: CJ2H 0.0 , < 1.5 (custom)
    Affected: CJ2M 0.0 , < 2.1 (custom)
    Affected: CJ1G 0.0 , < 4.1 (custom)
    Affected: CS1H 0.0 , < 4.1 (custom)
    Affected: CS1G 0.0 , < 4.1 (custom)
    Affected: CS1D-H 0.0 , < 1.4 (custom)
    Affected: CP1E-E 0.0 , < 1.3 (custom)
    Affected: CP1E-N 0.0 , < 1.3 (custom)
    Affected: CS1D-P 0.0 , < 1.4 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T14:17:04.118Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-010_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.dragos.com/advisory/omron-plc-and-engineering-software-network-and-file-format-access/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-45790",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-25T20:23:52.957365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T16:53:38.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CJ-series and CS-series CPU modules",
              "vendor": "Omron",
              "versions": [
                {
                  "lessThan": "1.5",
                  "status": "affected",
                  "version": "CJ2H 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1",
                  "status": "affected",
                  "version": "CJ2M 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1",
                  "status": "affected",
                  "version": "CJ1G 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1",
                  "status": "affected",
                  "version": "CS1H 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1",
                  "status": "affected",
                  "version": "CS1G 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.4",
                  "status": "affected",
                  "version": "CS1D-H 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.3",
                  "status": "affected",
                  "version": "CP1E-E 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.3",
                  "status": "affected",
                  "version": "CP1E-N 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.4",
                  "status": "affected",
                  "version": "CS1D-P 0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic."
                }
              ],
              "value": "The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-629",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-629 Unauthorized Use of Device Resources"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-22T17:22:14.476Z",
            "orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
            "shortName": "Dragos"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05"
            },
            {
              "url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-010_en.pdf"
            },
            {
              "url": "https://www.dragos.com/advisory/omron-plc-and-engineering-software-network-and-file-format-access/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Omron FINS memory protection susceptible to bruteforce",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
        "assignerShortName": "Dragos",
        "cveId": "CVE-2022-45790",
        "datePublished": "2024-01-22T17:22:14.476Z",
        "dateReserved": "2022-11-22T17:52:43.198Z",
        "dateUpdated": "2024-11-13T16:53:38.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-27396 (GCVE-0-2023-27396)

    Vulnerability from nvd – Published: 2023-06-19 00:00 – Updated: 2024-12-24 16:45
    VLAI
    Summary
    FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Design
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    OMRON Corporation Multiple OMRON products which implement FINS protocol Affected: SYSMAC CS-series CPU Units all versions, SYSMAC CJ-series CPU Units all versions, SYSMAC CP-series CPU Units all versions, SYSMAC NJ-series CPU Units all versions, SYSMAC NX1P-series CPU Units all versions, SYSMAC NX102-series CPU Units all versions, and SYSMAC NX7 Database Connection CPU Units Ver.1.16 or later
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T12:09:43.381Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/ta/JVNTA91513661/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/ta/JVNTA91513661/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.us-cert.gov/ics/advisories/icsa-20-063-03"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-27396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-24T16:45:15.508549Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-306",
                    "description": "CWE-306 Missing Authentication for Critical Function",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-24T16:45:20.428Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Multiple OMRON products which implement FINS protocol",
              "vendor": "OMRON Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "SYSMAC CS-series CPU Units all versions, SYSMAC CJ-series CPU Units all versions, SYSMAC CP-series CPU Units all versions, SYSMAC NJ-series CPU Units all versions, SYSMAC NX1P-series CPU Units all versions, SYSMAC NX102-series CPU Units all versions, and SYSMAC NX7 Database Connection CPU Units Ver.1.16 or later"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Design",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-19T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
            },
            {
              "url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf"
            },
            {
              "url": "https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf"
            },
            {
              "url": "https://jvn.jp/en/ta/JVNTA91513661/"
            },
            {
              "url": "https://jvn.jp/ta/JVNTA91513661/"
            },
            {
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-063-03"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-27396",
        "datePublished": "2023-06-19T00:00:00.000Z",
        "dateReserved": "2023-03-15T00:00:00.000Z",
        "dateUpdated": "2024-12-24T16:45:20.428Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-45790 (GCVE-0-2022-45790)

    Vulnerability from cvelistv5 – Published: 2024-01-22 17:22 – Updated: 2024-11-13 16:53
    VLAI
    Title
    Omron FINS memory protection susceptible to bruteforce
    Summary
    The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    Omron CJ-series and CS-series CPU modules Affected: CJ2H 0.0 , < 1.5 (custom)
    Affected: CJ2M 0.0 , < 2.1 (custom)
    Affected: CJ1G 0.0 , < 4.1 (custom)
    Affected: CS1H 0.0 , < 4.1 (custom)
    Affected: CS1G 0.0 , < 4.1 (custom)
    Affected: CS1D-H 0.0 , < 1.4 (custom)
    Affected: CP1E-E 0.0 , < 1.3 (custom)
    Affected: CP1E-N 0.0 , < 1.3 (custom)
    Affected: CS1D-P 0.0 , < 1.4 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T14:17:04.118Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-010_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.dragos.com/advisory/omron-plc-and-engineering-software-network-and-file-format-access/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-45790",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-25T20:23:52.957365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T16:53:38.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CJ-series and CS-series CPU modules",
              "vendor": "Omron",
              "versions": [
                {
                  "lessThan": "1.5",
                  "status": "affected",
                  "version": "CJ2H 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1",
                  "status": "affected",
                  "version": "CJ2M 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1",
                  "status": "affected",
                  "version": "CJ1G 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1",
                  "status": "affected",
                  "version": "CS1H 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1",
                  "status": "affected",
                  "version": "CS1G 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.4",
                  "status": "affected",
                  "version": "CS1D-H 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.3",
                  "status": "affected",
                  "version": "CP1E-E 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.3",
                  "status": "affected",
                  "version": "CP1E-N 0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.4",
                  "status": "affected",
                  "version": "CS1D-P 0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic."
                }
              ],
              "value": "The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-629",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-629 Unauthorized Use of Device Resources"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-22T17:22:14.476Z",
            "orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
            "shortName": "Dragos"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05"
            },
            {
              "url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-010_en.pdf"
            },
            {
              "url": "https://www.dragos.com/advisory/omron-plc-and-engineering-software-network-and-file-format-access/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Omron FINS memory protection susceptible to bruteforce",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
        "assignerShortName": "Dragos",
        "cveId": "CVE-2022-45790",
        "datePublished": "2024-01-22T17:22:14.476Z",
        "dateReserved": "2022-11-22T17:52:43.198Z",
        "dateUpdated": "2024-11-13T16:53:38.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-27396 (GCVE-0-2023-27396)

    Vulnerability from cvelistv5 – Published: 2023-06-19 00:00 – Updated: 2024-12-24 16:45
    VLAI
    Summary
    FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Design
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    OMRON Corporation Multiple OMRON products which implement FINS protocol Affected: SYSMAC CS-series CPU Units all versions, SYSMAC CJ-series CPU Units all versions, SYSMAC CP-series CPU Units all versions, SYSMAC NJ-series CPU Units all versions, SYSMAC NX1P-series CPU Units all versions, SYSMAC NX102-series CPU Units all versions, and SYSMAC NX7 Database Connection CPU Units Ver.1.16 or later
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T12:09:43.381Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/ta/JVNTA91513661/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/ta/JVNTA91513661/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.us-cert.gov/ics/advisories/icsa-20-063-03"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-27396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-24T16:45:15.508549Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-306",
                    "description": "CWE-306 Missing Authentication for Critical Function",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-24T16:45:20.428Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Multiple OMRON products which implement FINS protocol",
              "vendor": "OMRON Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "SYSMAC CS-series CPU Units all versions, SYSMAC CJ-series CPU Units all versions, SYSMAC CP-series CPU Units all versions, SYSMAC NJ-series CPU Units all versions, SYSMAC NX1P-series CPU Units all versions, SYSMAC NX102-series CPU Units all versions, and SYSMAC NX7 Database Connection CPU Units Ver.1.16 or later"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Design",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-19T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
            },
            {
              "url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf"
            },
            {
              "url": "https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf"
            },
            {
              "url": "https://jvn.jp/en/ta/JVNTA91513661/"
            },
            {
              "url": "https://jvn.jp/ta/JVNTA91513661/"
            },
            {
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-063-03"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-27396",
        "datePublished": "2023-06-19T00:00:00.000Z",
        "dateReserved": "2023-03-15T00:00:00.000Z",
        "dateUpdated": "2024-12-24T16:45:20.428Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }