All the vulnerabilites related to OMRON Corporation - SYSMAC NX1P Series CPU Unit
jvndb-2023-001534
Vulnerability from jvndb
Published
2023-04-18 13:58
Modified
2024-05-23 17:35
Severity ?
Summary
Security Issues in FINS protocol
Details
FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the configuration on FINS-compliant devices. The supported FINS commands vary depending on the products.
* I/O memory area read/write
* Parameter area read/write
* Program area read/write
* Manage operation mode
* System configuration read
* CPU unit status read
* Time information access
* Message read/delete
* Manage access privileges
* Read fault history report, etc.
* File operation
* Forced set/reset
FINS message consists of "FINS header", "FINS command code" and "parameter". When receiving a FINS command message, the entity conducts the operation corresponding to the "FINS command code", and sends the result as a response message to the destinations listed in "FINS header" of the command message. FINS protocol is designed with the assumptions that the network is closed inside the device, the production lines, or within the factory, and does not provide any encryption, data verification, nor authentication functions. Recent security researches show multiple issues on FINS protocol, under the conditions which FINS protocol does not consider, e.g., a FINS network is connected to other outside networks, FINS network can be physically accessed, etc. The following issues on FINS protocol have been reported:
1. Plaintext communication
Encrypted communication is not defined in FINS protocol. FINS messages are transmitted unencrypted and the contents can be seen easily when intercepted. Also alterations of FINS messages cannot be detected.
* Clear-text Transmission of Sensitive Information (CWE-319)
* Insufficient Verification of Data Authenticity (CWE-345)
2. No authentication required
Authentication is not defined in FINS protocol. Attacks from malicious devices cannot be detected.
* Authentication Bypass by Spoofing (CWE-290)
* Authentication Bypass by Capture-replay (CWE-294)
* Missing Authentication for Critical Function (CWE-306)
* Insufficient Verification of Data Authenticity (CWE-345)
* Uncontrolled Resource Consumption (CWE-400)
* Unrestricted Externally Accessible Lock(CWE-412)
* Improper Control of Interaction Frequency (CWE-799)
This document is written by Omron and JPCERT/CC.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001534.html",
"dc:date": "2024-05-23T17:35+09:00",
"dcterms:issued": "2023-04-18T13:58+09:00",
"dcterms:modified": "2024-05-23T17:35+09:00",
"description": "FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the configuration on FINS-compliant devices. The supported FINS commands vary depending on the products.\r\n\r\n* I/O memory area read/write\r\n* Parameter area read/write\r\n* Program area read/write\r\n* Manage operation mode\r\n* System configuration read\r\n* CPU unit status read\r\n* Time information access\r\n* Message read/delete\r\n* Manage access privileges\r\n* Read fault history report, etc.\r\n* File operation\r\n* Forced set/reset\r\n\r\nFINS message consists of \"FINS header\", \"FINS command code\" and \"parameter\". When receiving a FINS command message, the entity conducts the operation corresponding to the \"FINS command code\", and sends the result as a response message to the destinations listed in \"FINS header\" of the command message. FINS protocol is designed with the assumptions that the network is closed inside the device, the production lines, or within the factory, and does not provide any encryption, data verification, nor authentication functions. Recent security researches show multiple issues on FINS protocol, under the conditions which FINS protocol does not consider, e.g., a FINS network is connected to other outside networks, FINS network can be physically accessed, etc. The following issues on FINS protocol have been reported:\r\n \r\n1. Plaintext communication\r\nEncrypted communication is not defined in FINS protocol. FINS messages are transmitted unencrypted and the contents can be seen easily when intercepted. Also alterations of FINS messages cannot be detected.\r\n\r\n* Clear-text Transmission of Sensitive Information (CWE-319)\r\n* Insufficient Verification of Data Authenticity (CWE-345)\r\n\r\n2. No authentication required\r\nAuthentication is not defined in FINS protocol. Attacks from malicious devices cannot be detected.\r\n\r\n* Authentication Bypass by Spoofing (CWE-290)\r\n* Authentication Bypass by Capture-replay (CWE-294)\r\n* Missing Authentication for Critical Function (CWE-306)\r\n* Insufficient Verification of Data Authenticity (CWE-345)\r\n* Uncontrolled Resource Consumption (CWE-400)\r\n* Unrestricted Externally Accessible Lock(CWE-412)\r\n* Improper Control of Interaction Frequency (CWE-799)\r\n\r\nThis document is written by Omron and JPCERT/CC.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001534.html",
"sec:cpe": [
{
"#text": "cpe:/o:omron:sysmac_cj_series_cpu_unit",
"@product": "SYSMAC CJ Series CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:omron:sysmac_cp_series_cpu_unit",
"@product": "SYSMAC CP Series CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:omron:sysmac_cs_series_cpu_unit",
"@product": "SYSMAC CS Series CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:omron:sysmac_nj_series_cpu_unit",
"@product": "SYSMAC NJ Series CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:omron:sysmac_nx102_series_cpu_unit",
"@product": "SYSMAC NX102 Series CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:omron:sysmac_nx1p_series_cpu_unit",
"@product": "SYSMAC NX1P Series CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:omron:sysmac_nx7_database_connection_cpu_unit",
"@product": "SYSMAC NX7 Database Connection CPU Unit",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2023-001534",
"sec:references": [
{
"#text": "https://jvn.jp/en/ta/JVNTA91513661/",
"@id": "JVNTA#91513661",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-27396",
"@id": "CVE-2023-27396",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27396",
"@id": "CVE-2023-27396",
"@source": "NVD"
},
{
"#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-063-03",
"@id": "ICSA-20-063-03",
"@source": "ICS-CERT ADVISORY"
},
{
"#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-346-02",
"@id": "ICSA-19-346-02",
"@source": "ICS-CERT ADVISORY"
},
{
"#text": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-179-02",
"@id": "ICSA-22-179-02",
"@source": "ICS-CERT ADVISORY"
},
{
"#text": "https://cwe.mitre.org/data/definitions/290.html",
"@id": "CWE-290",
"@title": "Authentication Bypass by Spoofing(CWE-290)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/294.html",
"@id": "CWE-294",
"@title": "Authentication Bypass by Capture-replay(CWE-294)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/306.html",
"@id": "CWE-306",
"@title": "Missing Authentication for Critical Function(CWE-306)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/319.html",
"@id": "CWE-319",
"@title": "Cleartext Transmission of Sensitive Information(CWE-319)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/345.html",
"@id": "CWE-345",
"@title": "Insufficient Verification of Data Authenticity(CWE-345)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/400.html",
"@id": "CWE-400",
"@title": "Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027)(CWE-400)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/412.html",
"@id": "CWE-412",
"@title": "Unrestricted Externally Accessible Lock(CWE-412)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/799.html",
"@id": "CWE-799",
"@title": "Improper Control of Interaction Frequency(CWE-799)"
}
],
"title": "Security Issues in FINS protocol"
}