All the vulnerabilites related to OMRON Corporation - SYSMAC CJ Series CPU Unit
jvndb-2023-001534
Vulnerability from jvndb
Published
2023-04-18 13:58
Modified
2024-05-23 17:35
Severity ?
Summary
Security Issues in FINS protocol
Details
FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the configuration on FINS-compliant devices. The supported FINS commands vary depending on the products. * I/O memory area read/write * Parameter area read/write * Program area read/write * Manage operation mode * System configuration read * CPU unit status read * Time information access * Message read/delete * Manage access privileges * Read fault history report, etc. * File operation * Forced set/reset FINS message consists of "FINS header", "FINS command code" and "parameter". When receiving a FINS command message, the entity conducts the operation corresponding to the "FINS command code", and sends the result as a response message to the destinations listed in "FINS header" of the command message. FINS protocol is designed with the assumptions that the network is closed inside the device, the production lines, or within the factory, and does not provide any encryption, data verification, nor authentication functions. Recent security researches show multiple issues on FINS protocol, under the conditions which FINS protocol does not consider, e.g., a FINS network is connected to other outside networks, FINS network can be physically accessed, etc. The following issues on FINS protocol have been reported: 1. Plaintext communication Encrypted communication is not defined in FINS protocol. FINS messages are transmitted unencrypted and the contents can be seen easily when intercepted. Also alterations of FINS messages cannot be detected. * Clear-text Transmission of Sensitive Information (CWE-319) * Insufficient Verification of Data Authenticity (CWE-345) 2. No authentication required Authentication is not defined in FINS protocol. Attacks from malicious devices cannot be detected. * Authentication Bypass by Spoofing (CWE-290) * Authentication Bypass by Capture-replay (CWE-294) * Missing Authentication for Critical Function (CWE-306) * Insufficient Verification of Data Authenticity (CWE-345) * Uncontrolled Resource Consumption (CWE-400) * Unrestricted Externally Accessible Lock(CWE-412) * Improper Control of Interaction Frequency (CWE-799) This document is written by Omron and JPCERT/CC.
References
JVN https://jvn.jp/en/ta/JVNTA91513661/
CVE https://www.cve.org/CVERecord?id=CVE-2023-27396
NVD https://nvd.nist.gov/vuln/detail/CVE-2023-27396
ICS-CERT ADVISORY https://www.cisa.gov/news-events/ics-advisories/icsa-20-063-03
ICS-CERT ADVISORY https://www.cisa.gov/news-events/ics-advisories/icsa-19-346-02
ICS-CERT ADVISORY https://www.cisa.gov/news-events/ics-advisories/icsa-22-179-02
Authentication Bypass by Spoofing(CWE-290) https://cwe.mitre.org/data/definitions/290.html
Authentication Bypass by Capture-replay(CWE-294) https://cwe.mitre.org/data/definitions/294.html
Missing Authentication for Critical Function(CWE-306) https://cwe.mitre.org/data/definitions/306.html
Cleartext Transmission of Sensitive Information(CWE-319) https://cwe.mitre.org/data/definitions/319.html
Insufficient Verification of Data Authenticity(CWE-345) https://cwe.mitre.org/data/definitions/345.html
Uncontrolled Resource Consumption ('Resource Exhaustion')(CWE-400) https://cwe.mitre.org/data/definitions/400.html
Unrestricted Externally Accessible Lock(CWE-412) https://cwe.mitre.org/data/definitions/412.html
Improper Control of Interaction Frequency(CWE-799) https://cwe.mitre.org/data/definitions/799.html
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001534.html",
  "dc:date": "2024-05-23T17:35+09:00",
  "dcterms:issued": "2023-04-18T13:58+09:00",
  "dcterms:modified": "2024-05-23T17:35+09:00",
  "description": "FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the configuration on FINS-compliant devices. The supported FINS commands vary depending on the products.\r\n\r\n* I/O memory area read/write\r\n* Parameter area read/write\r\n* Program area read/write\r\n* Manage operation mode\r\n* System configuration read\r\n* CPU unit status read\r\n* Time information access\r\n* Message read/delete\r\n* Manage access privileges\r\n* Read fault history report, etc.\r\n* File operation\r\n* Forced set/reset\r\n\r\nFINS message consists of \"FINS header\", \"FINS command code\" and \"parameter\". When receiving a FINS command message, the entity conducts the operation corresponding to the \"FINS command code\", and sends the result as a response message to the destinations listed in \"FINS header\" of the command message. FINS protocol is designed with the assumptions that the network is closed inside the device, the production lines, or within the factory, and does not provide any encryption, data verification, nor authentication functions. Recent security researches show multiple issues on FINS protocol, under the conditions which FINS protocol does not consider, e.g., a FINS network is connected to other outside networks, FINS network can be physically accessed, etc. The following issues on FINS protocol have been reported:\r\n \r\n1. Plaintext communication\r\nEncrypted communication is not defined in FINS protocol. FINS messages are transmitted unencrypted and the contents can be seen easily when intercepted. Also alterations of FINS messages cannot be detected.\r\n\r\n* Clear-text Transmission of Sensitive Information (CWE-319)\r\n* Insufficient Verification of Data Authenticity (CWE-345)\r\n\r\n2. No authentication required\r\nAuthentication is not defined in FINS protocol. Attacks from malicious devices cannot be detected.\r\n\r\n* Authentication Bypass by Spoofing (CWE-290)\r\n* Authentication Bypass by Capture-replay (CWE-294)\r\n* Missing Authentication for Critical Function (CWE-306)\r\n* Insufficient Verification of Data Authenticity (CWE-345)\r\n* Uncontrolled Resource Consumption (CWE-400)\r\n* Unrestricted Externally Accessible Lock(CWE-412)\r\n* Improper Control of Interaction Frequency (CWE-799)\r\n\r\nThis document is written by Omron and JPCERT/CC.",
  "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001534.html",
  "sec:cpe": [
    {
      "#text": "cpe:/o:omron:sysmac_cj_series_cpu_unit",
      "@product": "SYSMAC CJ Series CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:omron:sysmac_cp_series_cpu_unit",
      "@product": "SYSMAC CP Series CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:omron:sysmac_cs_series_cpu_unit",
      "@product": "SYSMAC CS Series CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:omron:sysmac_nj_series_cpu_unit",
      "@product": "SYSMAC NJ Series CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:omron:sysmac_nx102_series_cpu_unit",
      "@product": "SYSMAC NX102 Series CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:omron:sysmac_nx1p_series_cpu_unit",
      "@product": "SYSMAC NX1P Series CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:omron:sysmac_nx7_database_connection_cpu_unit",
      "@product": "SYSMAC NX7 Database Connection CPU Unit",
      "@vendor": "OMRON Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "9.8",
    "@severity": "Critical",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2023-001534",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/ta/JVNTA91513661/",
      "@id": "JVNTA#91513661",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-27396",
      "@id": "CVE-2023-27396",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27396",
      "@id": "CVE-2023-27396",
      "@source": "NVD"
    },
    {
      "#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-063-03",
      "@id": "ICSA-20-063-03",
      "@source": "ICS-CERT ADVISORY"
    },
    {
      "#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-346-02",
      "@id": "ICSA-19-346-02",
      "@source": "ICS-CERT ADVISORY"
    },
    {
      "#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-179-02",
      "@id": "ICSA-22-179-02",
      "@source": "ICS-CERT ADVISORY"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/290.html",
      "@id": "CWE-290",
      "@title": "Authentication Bypass by Spoofing(CWE-290)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/294.html",
      "@id": "CWE-294",
      "@title": "Authentication Bypass by Capture-replay(CWE-294)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/306.html",
      "@id": "CWE-306",
      "@title": "Missing Authentication for Critical Function(CWE-306)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/319.html",
      "@id": "CWE-319",
      "@title": "Cleartext Transmission of Sensitive Information(CWE-319)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/345.html",
      "@id": "CWE-345",
      "@title": "Insufficient Verification of Data Authenticity(CWE-345)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/400.html",
      "@id": "CWE-400",
      "@title": "Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027)(CWE-400)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/412.html",
      "@id": "CWE-412",
      "@title": "Unrestricted Externally Accessible Lock(CWE-412)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/799.html",
      "@id": "CWE-799",
      "@title": "Improper Control of Interaction Frequency(CWE-799)"
    }
  ],
  "title": "Security Issues in FINS protocol"
}