CVE-2022-31206
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18 lack cryptographic authentication. These PLCs are programmed using the SYMAC Studio engineering software (which compiles IEC 61131-3 conformant POU code to native machine code for execution by the PLC's runtime). The resulting machine code is executed by a runtime, typically controlled by a real-time operating system. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, allowing an attacker to manipulate transmitted object code to the PLC and execute arbitrary machine code on the processor of the PLC's CPU module in the context of the runtime. In the case of at least the NJ series, an RTOS and hardware combination is used that would potentially allow for memory protection and privilege separation and thus limit the impact of code execution. However, it was not confirmed whether these sufficiently segment the runtime from the rest of the RTOS.
Los PLC de la familia de productos SYSMAC Nx de Omron (series NJ, NY, NX y PMAC) versiones hasta 18-05-2022, carecen de autenticación criptográfica. Estos PLC son programados usando el software de ingeniería SYMAC Studio (que compila el código POU conforme a la norma IEC 61131-3 en código máquina nativo para su ejecución por el tiempo de ejecución del PLC). El código máquina resultando es ejecutado por un tiempo de ejecución, normalmente controlado por un sistema operativo en tiempo real. La lógica que es descargada en el PLC no parece estar autenticada criptográficamente, permitiendo a un atacante manipular el código objeto transmitido al PLC y ejecutar código máquina arbitrario en el procesador del módulo CPU del PLC en el contexto del tiempo de ejecución. En el caso de al menos la serie NJ, es usada una combinación de RTOS y hardware que potencialmente permitiría la protección de la memoria y la separación de privilegios y, por tanto, limitaría el impacto de la ejecución de código. Sin embargo, no ha sido confirmado si éstos segmentan suficientemente el tiempo de ejecución del resto del RTOS.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-26 CVE Published
- 2024-02-16 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 | Third Party Advisory | |
| https://www.forescout.com/blog | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Omron Search vendor "Omron" | Nx701-1600 Firmware Search vendor "Omron" for product "Nx701-1600 Firmware" | < 1.29 Search vendor "Omron" for product "Nx701-1600 Firmware" and version " < 1.29" | - |
Affected
| in | Omron Search vendor "Omron" | Nx701-1600 Search vendor "Omron" for product "Nx701-1600" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nx701-1620 Firmware Search vendor "Omron" for product "Nx701-1620 Firmware" | < 1.29 Search vendor "Omron" for product "Nx701-1620 Firmware" and version " < 1.29" | - |
Affected
| in | Omron Search vendor "Omron" | Nx701-1620 Search vendor "Omron" for product "Nx701-1620" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nx701-1700 Firmware Search vendor "Omron" for product "Nx701-1700 Firmware" | < 1.29 Search vendor "Omron" for product "Nx701-1700 Firmware" and version " < 1.29" | - |
Affected
| in | Omron Search vendor "Omron" | Nx701-1700 Search vendor "Omron" for product "Nx701-1700" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nx701-1720 Firmware Search vendor "Omron" for product "Nx701-1720 Firmware" | < 1.29 Search vendor "Omron" for product "Nx701-1720 Firmware" and version " < 1.29" | - |
Affected
| in | Omron Search vendor "Omron" | Nx701-1720 Search vendor "Omron" for product "Nx701-1720" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nx701-z600 Firmware Search vendor "Omron" for product "Nx701-z600 Firmware" | < 1.29 Search vendor "Omron" for product "Nx701-z600 Firmware" and version " < 1.29" | - |
Affected
| in | Omron Search vendor "Omron" | Nx701-z600 Search vendor "Omron" for product "Nx701-z600" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nx701-z700 Firmware Search vendor "Omron" for product "Nx701-z700 Firmware" | < 1.29 Search vendor "Omron" for product "Nx701-z700 Firmware" and version " < 1.29" | - |
Affected
| in | Omron Search vendor "Omron" | Nx701-z700 Search vendor "Omron" for product "Nx701-z700" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj101-1000 Firmware Search vendor "Omron" for product "Nj101-1000 Firmware" | < 1.49 Search vendor "Omron" for product "Nj101-1000 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj101-1000 Search vendor "Omron" for product "Nj101-1000" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj101-1020 Firmware Search vendor "Omron" for product "Nj101-1020 Firmware" | < 1.49 Search vendor "Omron" for product "Nj101-1020 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj101-1020 Search vendor "Omron" for product "Nj101-1020" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj101-9000 Firmware Search vendor "Omron" for product "Nj101-9000 Firmware" | < 1.49 Search vendor "Omron" for product "Nj101-9000 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj101-9000 Search vendor "Omron" for product "Nj101-9000" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj101-9020 Firmware Search vendor "Omron" for product "Nj101-9020 Firmware" | < 1.49 Search vendor "Omron" for product "Nj101-9020 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj101-9020 Search vendor "Omron" for product "Nj101-9020" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj301-1100 Firmware Search vendor "Omron" for product "Nj301-1100 Firmware" | < 1.49 Search vendor "Omron" for product "Nj301-1100 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj301-1100 Search vendor "Omron" for product "Nj301-1100" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj301-1200 Firmware Search vendor "Omron" for product "Nj301-1200 Firmware" | < 1.49 Search vendor "Omron" for product "Nj301-1200 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj301-1200 Search vendor "Omron" for product "Nj301-1200" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1300 Firmware Search vendor "Omron" for product "Nj501-1300 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1300 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1300 Search vendor "Omron" for product "Nj501-1300" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1320 Firmware Search vendor "Omron" for product "Nj501-1320 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1320 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1320 Search vendor "Omron" for product "Nj501-1320" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1340 Firmware Search vendor "Omron" for product "Nj501-1340 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1340 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1340 Search vendor "Omron" for product "Nj501-1340" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1400 Firmware Search vendor "Omron" for product "Nj501-1400 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1400 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1400 Search vendor "Omron" for product "Nj501-1400" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1420 Firmware Search vendor "Omron" for product "Nj501-1420 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1420 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1420 Search vendor "Omron" for product "Nj501-1420" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1500 Firmware Search vendor "Omron" for product "Nj501-1500 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1500 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1500 Search vendor "Omron" for product "Nj501-1500" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-1520 Firmware Search vendor "Omron" for product "Nj501-1520 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-1520 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-1520 Search vendor "Omron" for product "Nj501-1520" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-4300 Firmware Search vendor "Omron" for product "Nj501-4300 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-4300 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-4300 Search vendor "Omron" for product "Nj501-4300" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-4320 Firmware Search vendor "Omron" for product "Nj501-4320 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-4320 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-4320 Search vendor "Omron" for product "Nj501-4320" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-4400 Firmware Search vendor "Omron" for product "Nj501-4400 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-4400 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-4400 Search vendor "Omron" for product "Nj501-4400" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-4500 Firmware Search vendor "Omron" for product "Nj501-4500 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-4500 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-4500 Search vendor "Omron" for product "Nj501-4500" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-5300 Firmware Search vendor "Omron" for product "Nj501-5300 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-5300 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-5300 Search vendor "Omron" for product "Nj501-5300" | - | - |
Safe
|
| Omron Search vendor "Omron" | Nj501-5300-1 Firmware Search vendor "Omron" for product "Nj501-5300-1 Firmware" | < 1.49 Search vendor "Omron" for product "Nj501-5300-1 Firmware" and version " < 1.49" | - |
Affected
| in | Omron Search vendor "Omron" | Nj501-5300-1 Search vendor "Omron" for product "Nj501-5300-1" | - | - |
Safe
|