IDEC Products (Update A)

MonitorCVSS 5.3ICS-CERT ICSA-24-263-02Sep 19, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two security vulnerabilities in IDEC MICROSmart and SmartAXIS industrial control modules: 1. Plaintext transmission of sensitive authentication information during communication protocols. An attacker with network access could capture user credentials in transit. 2. Predictable identification values (IDs) used in communication exchanges. An attacker could forge or manipulate messages by predicting these IDs, potentially disrupting communications or impersonating legitimate devices. Affected products: FC6A/FC6B Series MICROSmart All-in-One and Plus CPU modules, FT1A Series SmartAXIS Pro/Lite controllers, and SX8R Bus Coupler modules. All versions up to specified dates are vulnerable.

What this means

What could happen

An attacker with network access could capture plaintext authentication credentials transmitted by MICROSmart or SmartAXIS controllers, or forge control messages using predictable IDs, potentially disrupting process automation or gaining unauthorized control over connected devices.

Who's at risk

Water and utility automation engineers and operators using IDEC MICROSmart or SmartAXIS controllers for process automation. These compact programmable logic controllers are commonly used in smaller water treatment, wastewater, or pump station automation systems. Equipment includes the FC6A/FC6B MICROSmart All-in-One and Plus CPU modules (the main controllers), FT1A SmartAXIS Pro/Lite controllers (HMI/automation devices), and SX8R Bus Coupler modules (network interface devices).

How it could be exploited

An attacker on the same network segment as a vulnerable controller could passively sniff plaintext credential traffic during normal communication, or actively craft and inject forged messages using predictable IDs to disrupt or manipulate device communications. No authentication is required to intercept or inject traffic.

Prerequisites

Network access to the IDEC controller or the network segment where it communicates
Ability to perform packet capture or injection (passive sniffer or active man-in-the-middle position on the network segment)

remotely exploitableno authentication requiredlow complexityplaintext credential transmissionpredictable ID values enable message forgeryaffects small-to-medium process automation systems

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

FC6B Series MICROSmart Plus CPU module: <=Ver.2.60≤ Ver.2.602.70+

FC6A Series MICROSmart All-in-One CPU module: <=Ver.2.60≤ Ver.2.602.70+

FC6B Series MICROSmart All-in-One CPU module: <=Ver.2.60≤ Ver.2.602.70+

FC6A Series MICROSmart Plus CPU module: <=Ver.2.40≤ Ver.2.402.50+

FT1A Series SmartAXIS Pro/Lite: <=Ver.2.41≤ Ver.2.412.50+

SX8R Bus Coupler Module: <=Ver.2.1.0≤ Ver.2.1.02.2.0+

Remediation & Mitigation

0/8

Do now

0/1

HARDENINGRestrict network access to IDEC controllers to only authorized engineering workstations and automation networks; block all inbound access from business networks and the Internet

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FC6A Series MICROSmart All-in-One CPU module to firmware version 2.70 or later

HOTFIXUpdate FC6B Series MICROSmart All-in-One CPU module to firmware version 2.70 or later

HOTFIXUpdate FC6A Series MICROSmart Plus CPU module to firmware version 2.50 or later

HOTFIXUpdate FC6B Series MICROSmart Plus CPU module to firmware version 2.70 or later

HOTFIXUpdate FT1A Series SmartAXIS Pro/Lite controller to firmware version 2.50 or later

HOTFIXUpdate SX8R Bus Coupler Module to firmware version 2.2.0 or later

Long-term hardening

0/1

HARDENINGIf remote engineering access is required, implement a VPN gateway and require VPN authentication before any access to IDEC controllers

CVEs (2)

CVE-2024-41927 CVE-2024-28957

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/84a9cf5e-5038-4b1a-8e6f-60cb91dceb34

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.