CVE-2022-31204

Vulnerability

Omron SYSMAC CS/CJ/CP series PLCs transmit the UM Protection password in cleartext when using the FINS commands Program Area Protect and Program Area Protect Clear. This vulnerability affects CS1 versions prior to 4.1, CJ2M prior to 2.1, CJ2H prior to 1.5, CP1E/CP1H prior to 1.30, CP1L prior to 1.10, and all versions of the CP1W-CIF41 Ethernet Option Board [1]. The password is used to restrict sensitive engineering operations such as project and logic uploads/downloads.

Exploitation

An attacker with network access to the PLC can passively capture the FINS commands containing the cleartext password. No authentication is required, and the attack complexity is low. The attacker can then replay or use the captured password to perform restricted engineering operations [1].

Impact

Successful exploitation allows an attacker to obtain the UM Protection password, leading to unauthorized access to sensitive engineering operations. This could result in information disclosure of the PLC project and logic, and potentially enable further attacks. The CVSS v3 base score is 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) [1].

Mitigation

Omron has released firmware updates to address this vulnerability: CS1 v4.1, CJ2M v2.1, CJ2H v1.5, CP1E/CP1H v1.30, and CP1L v1.10. For the CP1W-CIF41, no fix is available; users should restrict network access to the device. Additionally, CX-Programmer should be updated to version 9.6 or later. CISA recommends network segmentation and monitoring to reduce risk [1].