Omron CX-Supervisor (Update A)

Plan Patch7ICS-CERT ICSA-18-290-01Oct 17, 2018

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

CX-Supervisor versions 3.4.1.0 and earlier contain multiple memory corruption vulnerabilities (CWE-119, CWE-125, CWE-416, CWE-704) that allow local code execution, memory corruption, and out-of-bounds reads. Successful exploitation could allow an attacker to execute code under the context of the application, corrupt objects, and cause denial of service. Omron has released Version 3.4.2 to address these vulnerabilities.

What this means

What could happen

An attacker with local access to a machine running CX-Supervisor could execute arbitrary code, corrupt memory objects, or cause the application to crash. This could disrupt supervision and monitoring of Omron control systems during an attack.

Who's at risk

Organizations using Omron CX-Supervisor for automation and process supervision should prioritize this—especially water utilities, power distributors, and manufacturers that rely on Omron PLCs and HMI systems. The vulnerability affects engineering workstations and supervisory servers, not field devices, but compromise could allow an attacker to alter setpoints or stop processes on connected equipment.

How it could be exploited

An attacker needs to execute code on the local machine where CX-Supervisor is running (e.g., via phishing, USB, or malware already present). Once execution is achieved on that machine, the attacker can exploit buffer overflows, out-of-bounds reads, or use-after-free conditions to break out of the application sandbox and run commands on the engineering workstation or server.

Prerequisites

Local code execution on the CX-Supervisor workstation or server
User interaction (running a malicious file or opening a crafted document)
No authentication required once local execution is achieved

Local exploitation onlyRequires user interactionHigh skill level neededMemory corruption vulnerabilities (buffer overflows, use-after-free)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

CX-Supervisor:≤ 3.4.1.03.4.2

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate CX-Supervisor workstations and servers from the business network using firewalls and network segmentation

HARDENINGImplement access controls to restrict who can log into and use CX-Supervisor engineering workstations

WORKAROUNDDisable or restrict local file access and USB ports on CX-Supervisor machines if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CX-Supervisor to version 3.4.2 or later

CVEs (4)

CVE-2018-17905 CVE-2018-17907 CVE-2018-17909 CVE-2018-17913

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/661c870a-8565-4226-901a-8e15ecdd12bf