Omron Engineering Software Zip-Slip

Monitor5.5ICS-CERT ICSA-23-262-03Sep 19, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A zip-slip path traversal vulnerability in Omron Sysmac Studio (version 1.54 and earlier) and NX-IO Configurator (version 1.22 and earlier) allows local attackers to overwrite arbitrary files on the system when a user extracts a malicious zip archive. The vulnerability results from insufficient validation of zip entry paths before extraction. Successful exploitation could corrupt application files, system files, or control system configurations, leading to loss of data or system instability. No vendor patches are available for either product.

What this means

What could happen

An attacker with local access to an engineering workstation could overwrite critical files on the system, potentially corrupting control system configurations or data used by Omron PLCs and I/O devices.

Who's at risk

Engineering teams at water utilities, electric utilities, and other critical infrastructure operators using Omron automation platforms should care. Sysmac Studio is the primary configuration and programming tool for Omron PLCs and safety controllers. NX-IO Configurator manages networked I/O modules. Both are used to design, test, and maintain control logic for pumping systems, electrical distribution, process control, and safety interlocks.

How it could be exploited

An attacker must trick a user into extracting a malicious zip file on a system running Sysmac Studio or NX-IO Configurator. The zip contains crafted entries with path traversal sequences (../) that bypass directory restrictions, allowing the attacker to write files outside the intended extraction folder and overwrite system or application files.

Prerequisites

Local access to the workstation running Omron Sysmac Studio or NX-IO Configurator
User interaction required: victim must extract a malicious zip archive
Application must attempt to extract the zip file without proper path validation

No authentication required (local user interaction only)Low attack complexityNo patch available (end-of-life products)Affects engineering workstations that control critical operationsFile overwrite could corrupt control system configurations

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Sysmac Studio: <= 1.54≤ 1.54No fix (EOL)

NX-IO Configurator: <= 1.22≤ 1.22No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGImplement antivirus and antimalware protection on all workstations running Sysmac Studio or NX-IO Configurator, configured to detect zip-slip and other file-based attacks.

HARDENINGRestrict and monitor USB device connections to engineering workstations; scan all removable media for malware before connecting to systems.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGTrain users not to extract zip files from untrusted sources and to verify the source of archive files before opening them.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Sysmac Studio: <= 1.54, NX-IO Configurator: <= 1.22. Apply the following compensating controls:

HARDENINGIsolate engineering workstations from the business network and internet using a firewall; restrict outbound connections to only necessary systems.

HARDENINGImplement regular full-disk backups of engineering workstations and test restore procedures to enable rapid recovery if files are corrupted.

HARDENINGEnforce multi-factor authentication on all remote access to engineering workstations to reduce risk of account compromise and malicious file delivery.

CVEs (1)

CVE-2018-1002205

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9be86ff0-cb88-4c3b-b85e-4ffa17dafd58