CISA
Critical infrastructure
News
Threat Landscape
Vulnerabilities

Security loopholes found in Omron, Fernhill, IDEC, Philips equipment deployed across industrial sector

January 07, 2022
security loopholes

The Cybersecurity and Infrastructure Security Agency (CISA) warned users on Thursday of the presence of security loopholes in products from Omron, Fernhill, IDEC, and Philips deployed across the industrial sector, including critical manufacturing, energy, and healthcare organizations. 

Users of the Omron CX-One automation software deployed in the critical manufacturing sector were informed of the presence of a stack-based buffer overflow vulnerability while processing specific project files, which may allow an attacker to execute arbitrary code. 

The CX-One software suite allows users to build, configure, and program a host of devices, such as programmable logic controllers (PLCs), human-machine interface (HMIs), motion-control systems, and networks using a software package with one installation and license number. This helps in decreasing the hassle of software maintenance and management at both the end-user and OEM levels.

The security flaw was found in the CX-One versions 4.60 and prior, and a CVSS v3 base score of 7.8 has been assigned to the vulnerability.

The vulnerability was reported to the CISA by xina1i, working with Trend Micro’s Zero Day Initiative, according to the CISA advisory. Omron has released an updated version of CX-One to address the reported vulnerability, and the updated release is available through the CX-One auto-update service, CX-Server: version 5.0.29.2.

CISA also warned about the presence of a vulnerability that enables uncontrolled resource consumption in the Fernhill SCADA Server. The flaw has been detected on SCADA Server Version 3.77 and earlier across Windows, Linux, and macOS platforms, and could cause a denial-of-service condition. 

The Fernhill SCADA Server is a background process (service or daemon) that runs a set of drivers to interface across PLC devices, RTU (Remote Terminal Unit) devices, IoT (Internet of Things) devices, files, databases, OPC (Open Platform Communications) servers, and Simple Network Management Protocol (SNMP) agents. It also stores data values in a historian and events in an Event Log, maintains the list of abnormal conditions in an alarm list, generates text reports, runs IEC 61131-3 programs, and makes the data available to client applications.

A CVSS v3 base score of 7.5 has been calculated for the vulnerability and was found independently by Fernhill and ExCraft. Fernhill has advised users to upgrade to version 3.78 or later.

The IDEC PLCs have been detected to contain security loopholes that could lead to unprotected transport of credentials and plaintext storage of a password. The exploitation of these vulnerabilities could allow an attacker to upload, alter, and/or download the PLC user program. An attacker could also access the PLC web server and hijack the controllers, resulting in the manipulation and/or suspension of the PLC output.

The security loopholes were found across various IDEC product lines, including FC6A MICROSmart all-in-one CPU Module v2.32 and earlier, FC6B MICROSmart all-in-one CPU Module v2.31 and earlier, FC6A MICROSmart Plus CPU Module v1.91 and earlier, FC6B MICROSmart Plus CPU Module v2.31 and earlier, FT1A Controller SmartAXIS Pro/Lite v2.31 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, Data File Manager v2.12.1 and earlier, FC6A MICROSmart All-in-One CPU Module v2.32 and earlier, FC6A MICROSmart Plus CPU Module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier.

Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC, CISA said in its advisory.

To deal with the vulnerabilities, IDEC users have been advised to apply appropriate software updates according to the information provided by the developer. In addition, IDEC recommended to the end-users to restrict the network appropriately to prevent suspicious connections from untrusted devices, restrict the devices that can access PLCs, and manage ZLD files appropriately to mitigate the impacts of these vulnerabilities.

CISA also warned users of the presence of a security vulnerability in Philips Engage Software that can allow improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data. The exploitation of the vulnerability may allow improper viewing (read-only) of business contact information. Parnassia and S-Unit reported the vulnerability to the cybersecurity agency.

Philips released and deployed updated version 6.2.2 last September, which mitigated the vulnerability, the federal agency said in its ICS medical advisory.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
Xage’s Zero Trust Session Collaboration tool delivers remote access, collaboration across industrial frameworks
Xage announces AI-powered analytics and insight capabilities to boost zero trust access and protection
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs