Omron released an updated version to handle a type confusion vulnerability in its CX-Protocol within CX-One, according to a report with NCCIC.
Successful exploitation of these vulnerabilities could allow an attacker to execute code under the privileges of the application.
CX-One Versions 4.50 and prior, including CX-Protocol Versions 2.0 and prior suffer from the vulnerability, discovered by Esteban Ruiz (mr_me) of Source Incite, working with Trend Micro’s Zero Day Initiative.
In the issue, three type confusion vulnerabilities exist when processing project files. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.
CVE-2018-19027 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Japan-based Omron released an updated version of CX-One to address the reported vulnerabilities. These releases are available through the CX-One auto-update service.