Omron CX-Supervisor (Update A)

Plan Patch7.3ICS-CERT ICSA-19-017-01Jan 17, 2019

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Omron CX-Supervisor versions 3.42 and earlier contain multiple memory corruption and code injection vulnerabilities (CWE-94, CWE-77, CWE-416, CWE-843, CWE-824, CWE-125). Successful exploitation requires local access and low privileges. An attacker could execute arbitrary code with application context privileges or trigger a denial-of-service condition. Remote exploitation is not possible. Omron has released version 3.5.0.11 to address these issues.

What this means

What could happen

An attacker with local access and low privileges could exploit these vulnerabilities to execute arbitrary code with application privileges or crash CX-Supervisor, disrupting supervisory control and data acquisition for Omron-managed processes.

Who's at risk

Omron CX-Supervisor users managing any supervisory control process—water treatment, wastewater, electrical generation, or industrial automation. The risk is highest for facilities where engineering workstations are shared or accessible to lower-privileged staff, or where such stations are networked to business systems or the Internet.

How it could be exploited

An attacker must have local access to a machine running CX-Supervisor and low-level user privileges. They could then exploit code execution vulnerabilities (CWE-94, CWE-77) to run commands within the application context, or trigger memory corruption flaws (CWE-416, CWE-843, CWE-824, CWE-125) to cause a denial-of-service crash. Remote exploitation is not possible.

Prerequisites

Local access to the CX-Supervisor host machine
Low-level user privileges on the host
CX-Supervisor version 3.42 or earlier installed
User interaction required (interaction element present in CVSS vector)

no patch available for versions below 3.42 (requires upgrade)affects supervisory control systemuser interaction requiredlow complexity attackcode execution possible

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

CX-Supervisor:≤ 3.423.5.0.11

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local access to CX-Supervisor hosts. Implement physical and logical access controls to limit who can log into engineering workstations.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CX-Supervisor to version 3.5.0.11 or later. Existing development projects must be upgraded and saved in the new format, then rebuilt.

Long-term hardening

0/2

HARDENINGIsolate CX-Supervisor networks from business networks and the Internet using firewalls and network segmentation.

HARDENINGIf remote access to CX-Supervisor systems is required, use secure VPN connections with the latest available patches.

CVEs (7)

CVE-2018-19011 CVE-2018-19013 CVE-2018-19015 CVE-2018-19017 CVE-2018-19019 CVE-2018-19018 CVE-2018-19020

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1bc4cc70-4d7a-441d-b650-8160e943ea14