Omron NJ/NX-series Machine Automation Controllers

Plan PatchCVSS 7.5ICS-CERT ICSA-22-314-08Nov 10, 2022

Omron

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Omron NJ/NX-series Machine Automation Controllers and related software contain authentication bypass vulnerabilities in their communications protocol (CWE-798: Use of Hardcoded Credentials, CWE-294: Authentication Using a Shared Secret). An attacker with network access can bypass authentication mechanisms to gain unauthorized login and operational control of the affected controllers. This affects NX7-series, NX1-series, NJ-series controllers, Sysmac Studio automation software, and NA-series Programmable Terminals. The vulnerability has been linked to APT cyber tools targeting industrial control systems.

What this means

What could happen

An attacker could bypass authentication to login and operate NJ/NX-series controllers without authorization, potentially modifying machine setpoints, halting production, or causing unsafe equipment states.

Who's at risk

Water and electric utilities, food/beverage processing, pharmaceutical manufacturing, and any facility using Omron NJ/NX machine automation controllers for critical production processes. Programmable terminals (NA-series) used for human-machine interface (HMI) operations are also affected. Sysmac Studio engineering workstations that program these controllers are at risk.

How it could be exploited

An attacker with network access to the controller's communications port can send specially crafted packets that bypass the authentication mechanism. Once authenticated, the attacker can use standard Omron control commands to change parameters or stop the machine.

Prerequisites

Network access to the controller's communications port (e.g., port 9600 for FINS protocol)
No valid credentials required
Knowledge of target controller model and firmware version

Remotely exploitable over networkNo authentication required for exploitationLow complexity attackNo patch available for affected versionsAffects process automation and control systemsRelated to APT cyber tool campaign targeting ICS/SCADA

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (5)

3 with fix2 pending

ProductAffected VersionsFix Status

NJ/NX-series Controllers and Software - NJ-series Machine Automation Controller (All Models):≤ 1.48No fix yet

NJ/NX-series Controllers and Software - NA-series Programable Terminal (NA5-15W, NA5-12W, NA5-9W, NA5-7W): Runtime≤ 1.15No fix yet

NJ/NX-series Controllers and Software - NX7-series Machine Automation Controller (All Models):≤ 1.281.29 or higher

NJ/NX-series Controllers and Software - NX1-series Machine Automation Controller (All Models):≤ 1.481.50 or higher

NJ/NX-series Controllers and Software - Automation Software Sysmac Studio (All Models):≤ 1.491.50 or higher

Remediation & Mitigation

0/16

Do now

0/6

HARDENINGIsolate affected controllers from untrusted networks and IT networks using firewalls and network segmentation

WORKAROUNDDisable unused communications ports on controllers and restrict host-to-host connections

HARDENINGDeploy VPN for any remote access to control systems

HARDENINGEnforce strong password policies and change default credentials

HARDENINGInstall and maintain up-to-date antivirus protection on all PCs accessing control systems

WORKAROUNDScan and validate all USB drives and external media for malware before connecting to systems

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate NX7-series to firmware version 1.29 or higher

HOTFIXUpdate NX1-series to firmware version 1.50 or higher

HOTFIXUpdate NJ-series controllers (NJ501-1300, NJ501-1400, NJ501-1500) to version 1.49 or higher

HOTFIXUpdate all other NJ-series controllers to firmware version 1.50 or higher

HOTFIXUpdate Sysmac Studio automation software to version 1.50 or higher

HOTFIXUpdate NA-series Programmable Terminal runtime to version 1.16 or higher

Long-term hardening

0/4

HARDENINGImplement physical access controls to restrict authorized personnel only

HARDENINGEnforce multifactor authentication (MFA) on all devices with remote access capability

HARDENINGImplement process validation including range checks on input/output data to detect unauthorized modifications

HARDENINGConduct regular data backups and validate backup integrity for data recovery capability

CVEs (2)

CVE-2022-34151 CVE-2022-33208

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c6c776f-df86-4275-b690-75abbc25e9cc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.