All the vulnerabilites related to OMRON Corporation - Machine Automation Controller NX Series
jvndb-2022-002691
Vulnerability from jvndb
Published
2022-11-10 09:46
Modified
2022-11-10 09:46
Severity
Summary
Multiple vulnerabilities in OMRON products
Details
Machine automation controller NJ/NX series, Automation software "Sysmac Studio", and programmable terminal (PT) NA series provided by OMRON Corporation contain multiple vulnerabilities in the communication function.
The vulnerabilities are as follows.
* Use of Hard-coded Credentials (CWE-798) - CVE-2022-34151
* Authentication Bypass by Capture-replay (CWE-294) - CVE-2022-33208
* Active Debug Code (CWE-489) - CVE-2022-33971
OMRON Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
References
| Type | URL |
|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU97050784/index.html |
| CVE | https://www.cve.org/CVERecord?id=CVE-2022-34151 |
| CVE | https://www.cve.org/CVERecord?id=CVE-2022-33208 |
| CVE | https://www.cve.org/CVERecord?id=CVE-2022-33971 |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-34151 |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-33208 |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-33971 |
| US-CERT National Cyber Awareness System Alerts | https://www.cisa.gov/uscert/ncas/alerts/aa22-103a |
| Authentication Bypass by Capture-replay(CWE-294) | https://cwe.mitre.org/data/definitions/294.html |
| Active Debug Code(CWE-489) | https://cwe.mitre.org/data/definitions/489.html |
| Use of Hard-coded Credentials(CWE-798) | https://cwe.mitre.org/data/definitions/798.html |
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-002691.html",
"dc:date": "2022-11-10T09:46+09:00",
"dcterms:issued": "2022-11-10T09:46+09:00",
"dcterms:modified": "2022-11-10T09:46+09:00",
"description": "Machine automation controller NJ/NX series, Automation software \"Sysmac Studio\", and programmable terminal (PT) NA series provided by OMRON Corporation contain multiple vulnerabilities in the communication function.\r\nThe vulnerabilities are as follows.\r\n\r\n * Use of Hard-coded Credentials (CWE-798) - CVE-2022-34151\r\n * Authentication Bypass by Capture-replay (CWE-294) - CVE-2022-33208\r\n * Active Debug Code (CWE-489) - CVE-2022-33971\r\n\r\nOMRON Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-002691.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:automation_software_sysmac_studio",
"@product": "Automation software \"Sysmac Studio\"",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:programmable_terminal_na_series",
"@product": "Programmable terminal (PT) NA series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "9.4",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2022-002691",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU97050784/index.html",
"@id": "JVNVU#97050784",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-34151",
"@id": "CVE-2022-34151",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-33208",
"@id": "CVE-2022-33208",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-33971",
"@id": "CVE-2022-33971",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-34151",
"@id": "CVE-2022-34151",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33208",
"@id": "CVE-2022-33208",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33971",
"@id": "CVE-2022-33971",
"@source": "NVD"
},
{
"#text": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a",
"@id": "AA22-103A",
"@source": "US-CERT National Cyber Awareness System Alerts"
},
{
"#text": "https://cwe.mitre.org/data/definitions/294.html",
"@id": "CWE-294",
"@title": "Authentication Bypass by Capture-replay(CWE-294)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/489.html",
"@id": "CWE-489",
"@title": "Active Debug Code(CWE-489)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/798.html",
"@id": "CWE-798",
"@title": "Use of Hard-coded Credentials(CWE-798)"
}
],
"title": "Multiple vulnerabilities in OMRON products"
}
jvndb-2024-002942
Vulnerability from jvndb
Published
2024-03-08 14:16
Modified
2024-03-08 14:16
Severity
Summary
OMRON NJ/NX series vulnerable to path traversal
Details
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL |
|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU95852116/index.html |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-27121 |
| Path Traversal(CWE-22) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002942.html",
"dc:date": "2024-03-08T14:16+09:00",
"dcterms:issued": "2024-03-08T14:16+09:00",
"dcterms:modified": "2024-03-08T14:16+09:00",
"description": "Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002942.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.2",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-002942",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU95852116/index.html",
"@id": "JVNVU#95852116",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-27121",
"@id": "CVE-2024-27121",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "OMRON NJ/NX series vulnerable to path traversal"
}
jvndb-2024-003242
Vulnerability from jvndb
Published
2024-05-28 12:28
Modified
2024-07-26 16:27
Severity
Summary
OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
Details
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity (CWE-345).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL |
|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU92504444/index.html |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-33687 |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2024-33687 |
| Insufficient Verification of Data Authenticity(CWE-345) | https://cwe.mitre.org/data/definitions/345.html |
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003242.html",
"dc:date": "2024-07-26T16:27+09:00",
"dcterms:issued": "2024-05-28T12:28+09:00",
"dcterms:modified": "2024-07-26T16:27+09:00",
"description": "Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity (CWE-345).\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003242.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-003242",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU92504444/index.html",
"@id": "JVNVU#92504444",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-33687",
"@id": "CVE-2024-33687",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2024-33687",
"@id": "CVE-2024-33687",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/345.html",
"@id": "CWE-345",
"@title": "Insufficient Verification of Data Authenticity(CWE-345)"
}
],
"title": "OMRON NJ/NX series vulnerable to insufficient verification of data authenticity"
}
cve-2024-27121
Vulnerability from cvelistv5
Published
2024-03-12 07:55
Modified
2024-08-16 19:50
Severity
Summary
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:omron:nj101-1000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-1020_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9020_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj101-9020_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj301-1100_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj301-1200_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj301-1200_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj501-1300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1340_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1520_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4310_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-5300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r520_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj501-r520_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T18:25:40.523309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T19:50:12.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.65.01 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.00.01 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T07:55:48.301Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-27121",
"datePublished": "2024-03-12T07:55:48.301Z",
"dateReserved": "2024-02-20T08:22:05.133Z",
"dateUpdated": "2024-08-16T19:50:12.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}