Flaws in Omron HMI Product Exploitable via Malicious Project Files
Japan-based electronics company Omron has released an update for its CX-Supervisor product to address several vulnerabilities that can be exploited for denial-of-service (DoS) attacks and remote code execution.
CX-Supervisor is a piece of software that allows organizations to create human-machine interfaces (HMIs) for supervisory control and data acquisition (SCADA) systems. According to ICS-CERT, the tool is used worldwide, mainly in the energy sector.
Researcher Esteban Ruiz of Source Incite has found several vulnerabilities in CX-Supervisor, including issues that have been assigned a “high” severity rating. The expert reported his findings to the vendor through Trend Micro’s Zero Day Initiative (ZDI).
Both ZDI and ICS-CERT have published advisories for the vulnerabilities found by Ruiz. The list includes use-after-free, lack of proper validation for user-supplied input, and type confusion issues that can be exploited to execute arbitrary code/commands. One of the security holes allows an attacker to delete any file on the system, which can result in a DoS condition.
The flaws can be exploited by convincing the targeted user to open a specially crafted project file on a vulnerable version of CX-Supervisor.
According to ZDI, the vulnerabilities were reported to the vendor in July 2018. ICS-CERT says the flaws have been patched with the release of version 126.96.36.199. The agency also recommends that users upgrade their development projects and save them in a new format for version 188.8.131.52.
A significant number of vulnerabilities have been found in this Omron product in the past year and ZDI will soon publish even more advisories for CX-Supervisor. An October advisory from ICS-CERT discloses four other flaws that can be exploited via malicious project files.
Ruiz has also discovered a vulnerability in Omron’s CX-One product. ZDI and ICS-CERT posted advisories earlier this month.