OTPulse
FeedAboutContact

Omron CX-Programmer

Plan Patch7.8ICS-CERT ICSA-22-242-09Aug 30, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CX-Programmer versions prior to 9.78 contain a use-after-free vulnerability (CWE-416) that could allow arbitrary code execution on an engineering workstation when a user opens a malicious file through the application. The vulnerability is not remotely exploitable and requires local access and user interaction. No public exploits are currently known.

What this means
What could happen
An attacker with local access to a PC running CX-Programmer could execute arbitrary code on that workstation, potentially gaining control over engineering functions and access to connected control systems.
Who's at risk
Engineering teams at water utilities, electric utilities, and other industrial facilities that use Omron CX-Programmer for PLC and controller programming and configuration. This affects engineering workstations, not the control equipment itself, but compromise of these stations could lead to unauthorized changes to control logic and setpoints.
How it could be exploited
An attacker must trick a user into opening a malicious file (attachment, USB drive, or downloaded file) on a PC where CX-Programmer is installed. When the file is opened through CX-Programmer, the vulnerability allows code execution with the privileges of the user running the application.
Prerequisites
  • Local access to a PC running CX-Programmer version prior to 9.78
  • User interaction required - victim must open a malicious file through CX-Programmer
  • CX-Programmer application must be installed on the target PC
Requires user interactionLocal access only - not remotely exploitableEngineering tool compromise could lead to control system manipulationUse-after-free vulnerability (CWE-416) in file parsing
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
CX-Programmer: All< 9.789.78
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDPerform virus scans on USB drives and removable media before connecting to engineering workstations
HARDENINGInstall and maintain up-to-date commercial-grade antivirus software on all PCs with CX-Programmer
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Programmer to version 9.78 or later
Long-term hardening
0/3
HARDENINGEnforce multifactor authentication on all devices with remote access to control systems
HARDENINGRestrict physical access to engineering workstations and control system equipment to authorized personnel only
HARDENINGTrain users not to open attachments or click links in unsolicited emails
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f967b351-b55b-4a53-a361-e91eb6a3518f
Omron CX-Programmer | CVSS 7.8 - OTPulse