IDEC Products (Update A)
Monitor5.3ICS-CERT ICSA-24-263-02Sep 19, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
IDEC MICROSmart and SmartAXIS controllers transmit user authentication information and device IDs in plaintext and use predictable ID values. This allows an attacker with network access to capture credentials or predict device identities, potentially enabling unauthorized configuration changes or control commands. Affected products include FC6A/FC6B All-in-One and Plus CPU modules, FT1A SmartAXIS Pro/Lite, and SX8R Bus Coupler Module. The vulnerabilities are classified as CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-340 (Generation of Predictable Numbers or Identifiers).
What this means
What could happen
An attacker with network access to these IDEC controllers could intercept unencrypted credentials or IDs used for authentication, potentially gaining unauthorized access to device configuration and control functions, or disrupt communication between devices.
Who's at risk
Water authorities and municipalities using IDEC MICROSmart (FC6A/FC6B All-in-One or Plus), SmartAXIS (FT1A), or SX8R Bus Coupler modules in their control systems should be concerned. These are commonly used in small to mid-size programmable controllers for water treatment, distribution, and wastewater processes, as well as in general industrial automation.
How it could be exploited
An attacker on the same network as the controller can passively intercept plaintext authentication traffic or predict device IDs used in communication protocols. By capturing these credentials or IDs, the attacker could impersonate the device or a legitimate user to send unauthorized commands to the controller or access its configuration interface.
Prerequisites
- Network access to the IDEC controller (same network segment or routed path)
- Ability to capture or monitor network traffic to intercept plaintext credentials
- Knowledge of the device's communication protocol and ID scheme (predictable IDs may reduce complexity)
Remotely exploitable via network accessNo authentication required to intercept plaintext credentialsLow exploitation complexityNo patch available for affected versions (end-of-life products or vendor has not committed to fixes)Affects control system authentication mechanisms
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
FC6B Series MICROSmart Plus CPU module: <=Ver.2.60≤ Ver.2.602.70 or later
FC6A Series MICROSmart All-in-One CPU module: <=Ver.2.60≤ Ver.2.602.70 or later
FC6B Series MICROSmart All-in-One CPU module: <=Ver.2.60≤ Ver.2.602.70 or later
FC6A Series MICROSmart Plus CPU module: <=Ver.2.40≤ Ver.2.402.50 or later
FT1A Series SmartAXIS Pro/Lite: <=Ver.2.41≤ Ver.2.412.50 or later
SX8R Bus Coupler Module: <=Ver.2.1.0≤ Ver.2.1.02.2.0 or later
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDIf remote access is required, implement a VPN with current security updates to encrypt communication to and from the controllers
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate FC6A Series MICROSmart All-in-One CPU module to version 2.70 or later
HOTFIXUpdate FC6B Series MICROSmart All-in-One CPU module to version 2.70 or later
HOTFIXUpdate FC6A Series MICROSmart Plus CPU module to version 2.50 or later
HOTFIXUpdate FC6B Series MICROSmart Plus CPU module to version 2.70 or later
HOTFIXUpdate FT1A Series SmartAXIS Pro/Lite to version 2.50 or later
HOTFIXUpdate SX8R Bus Coupler Module to version 2.2.0 or later
Long-term hardening
0/2HARDENINGIsolate IDEC controller networks from the business network using firewalls and network segmentation
HARDENINGEnsure IDEC controllers are not directly accessible from the Internet; restrict network exposure to authorized devices only
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/84a9cf5e-5038-4b1a-8e6f-60cb91dceb34