Omron Network Configurator for DeviceNet (Update A)

Plan Patch7.3ICS-CERT ICSA-19-134-01May 14, 2019

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Omron Network Configurator for DeviceNet Safety versions 3.41 and prior contain an untrusted search path vulnerability (CWE-426) that allows arbitrary code execution under the privileges of the application. The vulnerability is triggered when a user opens a malicious project file. Omron has released version 3.42 to address the issue. The vulnerability is not remotely exploitable and no public exploits are known.

What this means

What could happen

An attacker with local access to a Windows PC running the vulnerable Omron software could execute arbitrary code with the privileges of the logged-in user, potentially compromising engineering workstations and project files used to configure DeviceNet safety systems.

Who's at risk

Engineering and IT staff at water utilities, power plants, and manufacturing facilities who use Omron Network Configurator for DeviceNet Safety to configure safety-related communication modules. This tool runs on Windows workstations used by controls engineers and system integrators.

How it could be exploited

The vulnerability is triggered when a user opens a malicious project file (.dcf or similar) in the vulnerable application. An attacker would need to trick an engineer into opening an untrusted project file, likely via email or shared network storage. Upon opening, the application executes the attacker's code with the user's privileges.

Prerequisites

Local access to the Windows PC running Network Configurator for DeviceNet Safety
User interaction required: engineer must open a malicious project file
Affected versions: 3.41 and prior
Attacker must deliver the malicious project file via social engineering (email, file share, etc.)

Requires user interaction (opening a file)Local access onlyAffects engineering workstationsArbitrary code execution possible

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Network Configurator for DeviceNet Safety: 3.41 and prior≤ 3.413.42

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDDo not open untrusted project files; verify the source of any .dcf or project files before opening

HARDENINGOperate Windows engineering workstations with standard user accounts (non-administrator) when possible; use administrator accounts only when necessary

HARDENINGRemove or restrict directories in the PATH environment variable that are not system directories

HARDENINGEnsure system directories are writable only by administrators (verify Windows default permissions)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Network Configurator for DeviceNet Safety to version 3.42 or later

Long-term hardening

0/1

HARDENINGEducate staff not to click web links or open unsolicited attachments in email

CVEs (1)

CVE-2019-10971

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/45cd7fa9-a901-4e92-973f-01e24a158b6f