Omron released an updated version of CX-One to mitigate multiple vulnerabilities, according to a report from ICS-CERT.
The vulnerabilities, discovered by Rgod working with Trend Micro’s Zero Day Initiative, are a stack-based buffer overflow, heap-based buffer overflow and type confusion.
Successful exploitation of these vulnerabilities could allow remote code execution.
The following versions of CX-One suffer from the issues:
• CX-One Versions 4.42 and prior, including the following applications:
o CX-FLnet versions 1.00 and prior
o CX-Protocol versions 1.992 and prior
o CX-Programmer versions 9.65 and prior
o CX-Server versions 5.0.22 and prior
o Network Configurator versions 3.63 and prior
o Switch Box Utility versions 1.68 and prior
In one vulnerability, parsing malformed project files may cause a heap-based buffer overflow.
CVE-2018-8834 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
In addition, parsing malformed project files may cause a stack-based buffer overflow.
CVE-2018-7514 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Also, parsing malformed project files may allow the pointer to call an incorrect object resulting in an access of resource using incompatible type condition.
CVE-2018-7530 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities.
Japan-based Omron released an updated version of CX-One to address the reported vulnerabilities. These releases are available through the CX-One auto-update service.
• CX-FLnet version 1.10
• CX-Protocol version 1.993
• CX-Programmer versions 9.66
• Common Module including CX-Server version 5.0.23
• Network Configurator version 3.64
• Switch Box Utility version 1.69