Omron CX-One

Monitor5.3ICS-CERT ICSA-18-100-02Apr 10, 2018

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Omron CX-One and its component modules (CX-Protocol, CX-FLnet, CX-Programmer, CX-Server, Switch Box Utility, Network Configurator) contain buffer overflow vulnerabilities (CWE-121, CWE-122, CWE-843) that could allow code execution. These vulnerabilities require local access and user interaction (e.g., opening a malicious file). No public exploits are known.

What this means

What could happen

An attacker with local access could execute arbitrary code on engineering workstations running CX-One, potentially compromising configuration and control of Omron PLCs and other industrial devices. This could alter process logic or safety settings in energy generation and distribution systems.

Who's at risk

Energy utilities using Omron CX-One for engineering, programming, and configuration of PLCs and automation controllers. Specifically affects engineers and technicians who use CX-Programmer, CX-Server for device communication, and the supporting utilities for network configuration and protocol management.

How it could be exploited

An attacker must have local access to a workstation running CX-One and trick a user into opening a malicious file (e.g., a crafted project file or configuration file). The buffer overflow is triggered when CX-One parses the file, allowing code execution in the context of the engineering application. From there, the attacker could modify PLC configurations before they are deployed.

Prerequisites

Local access to the engineering workstation
User interaction required (opening a malicious file)
CX-One or vulnerable components installed (CX-Protocol <=1.992, CX-FLnet <=1.00, CX-Programmer <=9.65, CX-Server <=5.0.22, Switch Box Utility <=1.68, Network Configurator <=3.63, CX-One <=4.42)

Local access only (not remotely exploitable)Requires user interactionLow EPSS score (0.1%)Affects engineering/configuration workstations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

CX-Protocol:≤ 1.9921.993

CX-FLnet:≤ 1.001.10

CX-Programmer:≤ 9.659.66

CX-Server:≤ 5.0.225.0.23

Switch Box Utility:≤ 1.681.69

Network Configurator:≤ 3.633.64

CX-One:≤ 4.424.43 or later

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDTrain engineering staff not to open unsolicited files or email attachments, especially those containing CX-One project or configuration files from unknown sources

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-One to version 4.43 or later using the auto-update service

HOTFIXUpdate CX-Protocol to version 1.993 or later

HOTFIXUpdate CX-FLnet to version 1.10 or later

HOTFIXUpdate CX-Programmer to version 9.66 or later

HOTFIXUpdate CX-Server (Common Module) to version 5.0.23 or later

HOTFIXUpdate Network Configurator to version 3.64 or later

HOTFIXUpdate Switch Box Utility to version 1.69 or later

Long-term hardening

0/1

HARDENINGRestrict physical and network access to engineering workstations running CX-One to authorized personnel only

CVEs (3)

CVE-2018-8834 CVE-2018-7514 CVE-2018-7530

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b87291a7-a953-4c62-b15c-0a0f9c2628a5