Omron PLC CJ Series

Monitor7.5ICS-CERT ICSA-20-063-03Mar 3, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Omron CJ series PLCs contain a vulnerability in FINS protocol message handling (CWE-400: improper resource validation) that allows an attacker to trigger a denial-of-service condition by sending a malformed network packet. The PLC will crash and become unresponsive, requiring a manual restart. All versions of the CJ series are affected. Omron has not released a firmware patch and does not plan to fix this vulnerability in end-of-life hardware.

What this means

What could happen

An attacker can send specially crafted network traffic to crash the Omron PLC, causing the device to stop responding and halting whatever process it controls (pumps, motors, treatment stages, etc.).

Who's at risk

Manufacturing facilities, water utilities, and power plants that rely on Omron CJ series PLCs for critical automation tasks (process control, pump/motor operation, treatment sequencing, valve actuation). Any organization with these PLCs connected to a network or potentially reachable from outside the facility should be concerned.

How it could be exploited

An attacker on the network (or internet if the PLC is exposed) sends a malformed packet to the FINS port (default 9600) on the PLC. The PLC fails to validate the packet properly, crashes, and becomes unresponsive until manually restarted.

Prerequisites

Network-level access to FINS port 9600 (or custom FINS port) on the PLC
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)No known public exploits yet but vulnerability is disclosed

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

PLC CJ series: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDBlock inbound traffic to FINS port (default 9600) using a firewall or access control list; only allow connections from trusted engineering workstations or SCADA master servers

WORKAROUNDImplement IP address filtering on the firewall to restrict which devices can communicate with the PLC

Mitigations - no patch available

0/2

PLC CJ series: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the PLC onto a separate network (DMZ or isolated control network) that is not directly accessible from the corporate/business network or the internet

HARDENINGIf remote access to the PLC is required, use a VPN tunnel to an engineering workstation, not direct internet exposure

CVEs (1)

CVE-2020-6986

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4f4c9d9e-0684-463f-af3b-cd4e93603a5a