CVE-2022-31205

Vulnerability

The Web UI password used to restrict network configuration changes on Omron SYSMAC CS/CJ/CP series PLCs is stored in plaintext in memory addresses D1449 through D1452. The CP1W-CIF41 Ethernet Option Board is affected, as well as PLC models CP1E, CP1H, CP1L, CP2, CS1, CJ1, and CJ2 [1]. An attacker can read this password using the Omron FINS protocol, which does not require any authentication [1]. Affected versions include SYSMAC CS1 prior to 4.1, CJ2M prior to 2.1, CJ2H prior to 1.5, CP1E/CP1H prior to 1.30, CP1L prior to 1.10, and all versions of CP1W-CIF41 [1]. This is assigned CWE-256: Plaintext Storage of a Password [1].

Exploitation

An attacker with network access to the PLC can use the unauthenticated Omron FINS protocol to read memory addresses D1449...D1452 and extract the Web UI password in plaintext [1]. No authentication, user interaction, or special privileges are required beyond the ability to send FINS commands over the network [1]. The attack is remotely exploitable with low complexity [1].

Impact

Successful exploitation allows the attacker to obtain the Web UI password. With this password, the attacker can change network settings on the affected option board or PLC, potentially enabling further attacks such as denial-of-service or remote code execution [1]. The confidentiality of the password is compromised, and the integrity of device configuration may be affected [1].

Mitigation

Omron has released firmware updates that address this vulnerability: SYSMAC CS1 version 4.1, CJ2M version 2.1, CJ2H version 1.5, CP1E/CP1H version 1.30, and CP1L version 1.10 [1]. No fix is available for CP1W-CIF41 (all versions are affected) [1]. CISA recommends implementing network segmentation, using firewalls, and restricting FINS protocol access to trusted hosts as interim mitigations [1]. This vulnerability is part of the OT:ICEFALL public report [1].