Hacking the Industrial Infrastructure: Unveiling Vulnerabilities in Omron Patches and Engineering Software

Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis

Introduction

Japanese electronics giant Omron has recently patched vulnerabilities in its programmable logic controllers (PLC) and engineering software, thanks to the discovery made by industrial cybersecurity firm Dragos during the analysis of a sophisticated piece of malware. While the vulnerabilities were not leveraged by malware and there is no evidence of exploitation in the wild, the discovery highlights the ongoing importance of robust cybersecurity measures in industrial control systems (ICS). This report will analyze the vulnerabilities, their potential implications, and the actions taken by Omron and the cybersecurity community to address them.

The Background

Last year, the US cybersecurity agency CISA notified organizations about three vulnerabilities affecting Omron NJ and NX-series controllers. Of these, one critical vulnerability, CVE-2022-34151, which involved hardcoded credentials that could be used to access Omron PLCs, was targeted by an ICS attack framework known as Pipedream and Incontroller. Pipedream is believed to be the work of a state-sponsored threat group, possibly linked to Russia. During the analysis of the malware, Dragos discovered additional vulnerabilities in Omron products, prompting Omron and CISA to release advisories and patches to address these new flaws.

The Vulnerabilities

The vulnerabilities discovered during the analysis include:

• CVE-2022-45790: A high-severity vulnerability in Omron CJ/CS/CP series PLCs that use the FINS protocol, which is susceptible to brute-force attacks.
• CVE-2022-45793: A medium-severity weakness in Omron Engineering software, specifically Sysmac Studio, that can be exploited to alter files and execute arbitrary code.
• CVE-2018-1002205: Another medium-severity vulnerability, affecting both Sysmac Studio and NX-IO Configurator, involving Zip-Slip bug that can be used to write arbitrary files using specially crafted ZIP archives.

The Response

Omron and CISA have each published three separate advisories to inform organizations about these vulnerabilities. Omron has promptly released patches to address the security holes, and organizations are advised to update their Omron products to the latest firmware and software versions to mitigate the risk of exploitation.

The Significance

While there is no evidence that these vulnerabilities have been exploited in the wild, their discovery highlights the ongoing risk faced by industrial control systems. The potential for state-sponsored threat groups to target critical infrastructure is a significant concern, and vulnerabilities in PLCs and engineering software provide an avenue for disruptive attacks on physical processes. The proactive response by Omron and Dragos in discovering and patching these vulnerabilities emphasizes the importance of engaging in regular security audits and updates in the industrial sector.

The Delay in Addressing Vulnerabilities

One notable aspect of this incident is the time it took to fully address the vulnerabilities. Two of the vulnerabilities were assigned CVEs from 2022, indicating that they were reported to Omron last year. Lead vulnerability analyst at Dragos, Reid Wightman, explains that vulnerabilities can sometimes take a while to fully address. It is crucial for organizations to prioritize timely vulnerability management to minimize risk and protect critical infrastructure from potential threats.

Advice for Organizations

Organizations that rely on Omron products should take immediate steps to update their PLCs and engineering software to the latest firmware and software versions. This will help mitigate the risk of exploitation and ensure the security of industrial control systems. Additionally, organizations should regularly conduct security audits and implement robust cybersecurity measures to protect against potential threats.

Conclusion

The discovery and patching of vulnerabilities in Omron PLCs and engineering software highlight the ongoing risk faced by industrial control systems. The potential for state-sponsored threat groups to exploit these vulnerabilities underscores the need for vigilant cybersecurity measures in the industrial sector. Organizations should prioritize timely vulnerability management and engage in regular security audits to protect critical infrastructure from potential attacks.

Editorial

The recent discovery of vulnerabilities in Omron PLCs and engineering software serves as a reminder of the constant threat faced by industrial control systems. As reliance on interconnected technology continues to grow, so does the potential for cyberattacks on critical infrastructure. Protecting industrial control systems is not only crucial for the functioning of our modern society but also for safeguarding public safety and preventing potentially catastrophic consequences. It is crucial for organizations in the industrial sector, as well as governments and regulatory bodies, to prioritize cybersecurity and invest in robust measures to mitigate the risk of exploitation. Collaboration between cybersecurity firms, such as Dragos, and companies like Omron is essential in identifying and addressing vulnerabilities before they can be exploited. As technology evolves, so must our defenses against cyber threats, and organizations must stay ahead of the curve to ensure the safety and security of our critical infrastructure.