Omron released a new version to mitigate an use after free vulnerability in its CX-Programmer within CX-One, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Esteban Ruiz (mr_me) of Source Incite working with Trend Micro’s Zero Day Initiative, could allow an attacker to execute code under the privileges of the application.
The following version of CX-Programmer within CX-One is affected:
• CX-Programmer v9.70 and prior
• Common Components January 2019 and prior
In the vulnerability, when processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.
CVE-2019-6556 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Japan-based Omron released an updated version of CX-One to address the vulnerability. This release is available through the CX-One auto-update service.
1. CX-Programmer Version 9.7.1
2. Common Components April 2019