XINJE XD

Monitor7.3ICS-CERT ICSA-23-024-01Jan 24, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

XINJE XD Programming Tool versions 3.5.1 and earlier contain path traversal (CWE-23) and insecure loading of code (CWE-427) vulnerabilities. Successful exploitation allows an attacker to write arbitrary project files to a connected PLC and gain code execution privileges on that device. The vulnerabilities are not remotely exploitable and require local access to a workstation running the programming tool and user interaction (e.g., opening a malicious project file).

What this means

What could happen

An attacker with local access to an engineering workstation could trick a user into opening a malicious project file, which would write arbitrary code to connected PLCs and allow the attacker to alter process logic, modify setpoints, or stop industrial operations.

Who's at risk

Manufacturing plants and facilities using XINJE XD Programming Tool to develop or modify logic for XINJE PLCs should be concerned. This affects organizations with engineering teams that use the XINJE development environment, particularly those where desktop workstations are less physically secured or where engineers may be targeted by social engineering (e.g., receiving malicious project files via email or USB).

How it could be exploited

An attacker would craft a malicious XINJE XD project file and social-engineer an engineer or technician into opening it on a workstation with the vulnerable programming tool installed. When opened, the file exploits the path traversal flaw to write arbitrary code into the connected PLC, achieving code execution on the control device.

Prerequisites

Local access to a workstation running XINJE XD Programming Tool version 3.5.1 or earlier
User interaction required: victim must open a malicious project file
PLC must be connected to the engineering workstation (typically via serial or network connection)
User with permissions to program the connected PLC

no patch availablerequires user interactionaffects safety-critical industrial devices (PLC)low complexity attack

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

XD Programing Tool:≤ 3.5.1No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDTrain engineers and technicians to not open project files from untrusted sources (email, USB, external sites)

WORKAROUNDImplement email filtering to block suspicious attachments and URLs targeting engineering staff

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor PLC program changes and maintain audit logs of all project uploads and modifications

Long-term hardening

0/3

HARDENINGRestrict physical and network access to engineering workstations running XINJE XD Programming Tool to authorized personnel only

HARDENINGIsolate programming workstations and connected PLCs from business networks and the Internet using air-gap, firewall, or VLAN segmentation

HARDENINGDisable unnecessary network services on engineering workstations and connected PLC devices

CVEs (2)

CVE-2021-34605 CVE-2021-34606

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/97d3ac5a-6583-4dc0-a522-577f78959a89