Security Experts:

Flaws in Omron HMI Product Exploitable via Malicious Project Files

Japan-based electronics company Omron has released an update for its CX-Supervisor product to address several vulnerabilities that can be exploited for denial-of-service (DoS) attacks and remote code execution.

CX-Supervisor is a piece of software that allows organizations to create human-machine interfaces (HMIs) for supervisory control and data acquisition (SCADA) systems. According to ICS-CERT, the tool is used worldwide, mainly in the energy sector.

Omron CX-Supervisor vulnerabilitiesResearcher Esteban Ruiz of Source Incite has found several vulnerabilities in CX-Supervisor, including issues that have been assigned a “high” severity rating. The expert reported his findings to the vendor through Trend Micro’s Zero Day Initiative (ZDI).

Both ZDI and ICS-CERT have published advisories for the vulnerabilities found by Ruiz. The list includes use-after-free, lack of proper validation for user-supplied input, and type confusion issues that can be exploited to execute arbitrary code/commands. One of the security holes allows an attacker to delete any file on the system, which can result in a DoS condition.

The flaws can be exploited by convincing the targeted user to open a specially crafted project file on a vulnerable version of CX-Supervisor.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

According to ZDI, the vulnerabilities were reported to the vendor in July 2018. ICS-CERT says the flaws have been patched with the release of version 3.5.0.11. The agency also recommends that users upgrade their development projects and save them in a new format for version 3.5.0.11.

A significant number of vulnerabilities have been found in this Omron product in the past year and ZDI will soon publish even more advisories for CX-Supervisor. An October advisory from ICS-CERT discloses four other flaws that can be exploited via malicious project files.

Ruiz has also discovered a vulnerability in Omron’s CX-One product. ZDI and ICS-CERT posted advisories earlier this month.

Related: AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger

Related: Hackers Can Chain Multiple Flaws to Attack WAGO HMI Devices

Related: ABB to Patch Code Execution Flaw in HMI Tool

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.