Omron Fixes CX-Programmer Hole

Thursday, April 4, 2019 @ 05:04 PM gHale

Omron released a new version to mitigate an use after free vulnerability in its CX-Programmer within CX-One, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by Esteban Ruiz (mr_me) of Source Incite working with Trend Micro’s Zero Day Initiative, could allow an attacker to execute code under the privileges of the application.

RELATED STORIES
Another Fix for Rockwell’s Stratix, ArmorStratix
Rockwell has Fix for Stratix, ArmorStratix Holes
Rockwell Mitigation Plan for Stratix 5950
Advantech Fixes WebAccess/SCADA Holes

The following version of CX-Programmer within CX-One is affected:
• CX-Programmer v9.70 and prior
• Common Components January 2019 and prior

In the vulnerability, when processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.

CVE-2019-6556 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

Japan-based Omron released an updated version of CX-One to address the vulnerability. This release is available through the CX-One auto-update service.
1. CX-Programmer Version 9.7.1
2. Common Components April 2019



Leave a Reply

You must be logged in to post a comment.