Omron Clears CX-One CX-Protocol Hole

Thursday, January 10, 2019 @ 03:01 PM gHale

Omron released an updated version to handle a type confusion vulnerability in its CX-Protocol within CX-One, according to a report with NCCIC.

Successful exploitation of these vulnerabilities could allow an attacker to execute code under the privileges of the application.

RELATED STORIES
Emerson Patches DeltaV Hole
Schneider Clears IIoT Monitor Holes
Schneider Fixes Zelio Soft 2 Hole
Hetronic Firmware Fix for Nova-M

CX-One Versions 4.50 and prior, including CX-Protocol Versions 2.0 and prior suffer from the vulnerability, discovered by Esteban Ruiz (mr_me) of Source Incite, working with Trend Micro’s Zero Day Initiative.

In the issue, three type confusion vulnerabilities exist when processing project files. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.

CVE-2018-19027 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

Japan-based Omron released an updated version of CX-One to address the reported vulnerabilities. These releases are available through the CX-One auto-update service.



Leave a Reply

You must be logged in to post a comment.