This afternoon the DHS ICS-CERT published an advisory for multiple vulnerabilities in the Omron CX-Programmer Software. The vulnerabilities were reported by Stephen Dunlap of the Air Force Institute of Technology. Omron has produced new versions of the affected products, but there is no indication that Dunlap was provided an opportunity to verify the efficacy of the fix.
The three vulnerabilities that were identified were:
• Clear text transmission of sensitive information, CVE-2015-0987; and
• Storing passwords in a recoverable format, CVE-2015-0988 and CVE-2015-1015
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the first vulnerability (the other two can only be locally exploited) to access a device programed with the application.
The Omron security notice indicates that both the new CX-Programmer software version and the new CJ series PLCs need to be used in conjunction for the new protection to be effective.