Positive Technologies helps eradicate vulnerabilities in OMRON controllers

PLCs1 are used on a wide range of equipment from machine tools to pipeline systems

Vulnerability CVE-2023-22357 gained the CVSS v3 score of 9.1, which indicates a critical level of severity. Its exploitation allowed unauthenticated attackers to read and change an arbitrary area of the controller memory. This could lead to overwriting of firmware, denial of service, or arbitrary code execution. The vendor was notified of the threat as part of the responsible disclosure policy and eliminated the vulnerability in the new firmware.

OMRON CP1L controllers are used to control compact machines and quickly build automation systems. PLCs are used, for example, to control conveyors and machine tools, pipeline assemblies at a power plant, microclimate on farms, product quality control systems, and automatic packaging machines.

The vulnerability in the CP1L-EL20DR-D OMRON controller was discovered by Positive Technologies expert Georgy Kiguradze.2 The flaw is due to undocumented commands in the FINS communication protocol.3 Such commands are used for debugging PLC software4.

Vladimir Nazarov, Head of ICS Security at Positive Technologies, explained: "In case of a targeted cyberattack, exploitation of this vulnerability would lead to industrial process shutdown or equipment failure. Attackers can use third-party or their own software to abuse flaws in the FINS protocol, affecting the equipment operation. In particular, they can change the algorithms being executed, load malicious firmware, change the values of variables, or set invalid values on module outputs to bypass the locking algorithms. Today it is necessary to conduct cyberexercises to evaluate the security of production systems and check whether non-tolerable events can be triggered. Such exercises demonstrate the potential consequences of attacks on real infrastructures and can help to develop protective measures and response scenarios."

To eliminate the vulnerability, the controller manufacturer recommends updating the firmware and enabling the «Extend password protection» function.

It is possible to detect attacks via the FINS protocol using products for technological traffic analysis, such as PT Industrial Security Incident Manager (PT ISIM).

  1. Programmable logic controller
  2. Georgy Kiguradze currently works for another company
  3. Open communication protocol supported by most OMRON controllers and networks
  4. Debugging is needed to detect an error during program operation. It can be started when the flaw is detected or later