Japanese electronics giant Omron recently patched programmable logic controller (PLC) and engineering software vulnerabilities that were discovered by industrial cybersecurity firm Dragos during the analysis of a sophisticated piece of malware.
Last year, the US cybersecurity agency CISA informed organizations about three vulnerabilities affecting Omron NJ and NX-series controllers.
Dragos told SecurityWeek at the time that one of these flaws, a critical hardcoded credentials issue tracked as CVE-2022-34151 that can be used to access Omron PLCs, had been targeted by the industrial control system (ICS) attack framework known as Pipedream and Incontroller.
Pipedream is believed to be the work of a state-sponsored threat group, possibly linked to Russia.
Dragos determined last year that one of Pipedream’s components, named BadOmen, had exploited CVE-2022-34151 to interact with an HTTP server on targeted Omron NX/NJ controllers. BadOmen can be used to manipulate and cause disruption to physical processes.
During its research into the BadOmen malware, Dragos discovered additional vulnerabilities affecting Omron products, and CISA and the vendor have now released advisories to inform organizations about these new flaws and the availability of patches.
While these security holes were discovered during the analysis of the BadOmen malware, Reid Wightman, lead vulnerability analyst at Dragos, told SecurityWeek that they were not leveraged by malware and there is no evidence that they have been exploited in the wild. The bugs were found while investigating Omron equipment and related software.
CISA and Omron have each published three separate advisories. One of them describes CVE-2022-45790, a high-severity vulnerability in Omron CJ/CS/CP series PLCs that use the FINS protocol, which is susceptible to brute-force attacks.
The two other advisories describe medium-severity flaws affecting Omron Engineering software: CVE-2022-45793, a Sysmac Studio weakness that can be exploited to alter files and execute arbitrary code; and CVE-2018-1002205, a Sysmac Studio and NX-IO Configurator Zip-Slip bug that can be used to write arbitrary files using specially crafted ZIP archives.
Two of the vulnerabilities have been assigned 2022 CVEs because they were reported to Omron last year. “Sometimes vulnerabilities can take a while to fully address,” Wightman explained.
The flaw with the 2018 CVE impacts a third-party component used in Omron products.
Researcher Michael Heinzl has also been credited by Omron for reporting this vulnerability. Heinzl previously discovered several high-severity remote code execution vulnerabilities in Omron’s CX-Programmer software.