This afternoon the DHS ICS-CERT published an advisory
for multiple vulnerabilities in the Omron CX-Programmer Software. The
vulnerabilities were reported by Stephen Dunlap of the Air Force Institute of
Technology. Omron has produced new versions of the affected products, but there
is no indication that Dunlap was provided an opportunity to verify the efficacy
of the fix.
The three vulnerabilities that were identified were:
• Clear text transmission of sensitive
information, CVE-2015-0987; and
• Storing passwords in a recoverable format,
CVE-2015-0988 and CVE-2015-1015
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the first vulnerability (the other two can only be
locally exploited) to access a device programed with the application.
The Omron security
notice indicates that both the new CX-Programmer software version and the new CJ
series PLCs need to be used in conjunction for the new protection to be effective.
Posts
No comments:
Post a Comment