PRUEBA AHORA
Vulnerability

Critical Vulnerability Threatens Omron PLCs

3 min. read
15/03/2023
By Laura Libeer
Omron-Vulnerability-Blog-Featured

⚡ TL;DR | Go Straight to the Omron Improper Access Control Vulnerability Report

Omron has released a security advisory regarding an improper access control vulnerability in the CS/CJ/CP series of their programmable controllers. The issue affects multiple components of the CJ1M PLC and could allow an attacker to bypass user memory protections and overwrite passwords or lock you out of reading your own memory regions. Our team has added a new report to your Lansweeper installation to help you locate potentially vulnerable devices.

Omron Vulnerability CVE-2023-0811

The issue tracked as CVE-2023-0811 affects the CS/CJ/CP-series of programmable controllers. There are improper access controls on the memory region where the UM password is stored. By issuing a PROGRAM AREA WRITE command to a specific memory region, an attacker could overwrite the password. The vulnerability received a critical CVSS base score of 9.1. So far there have been no reports of the vulnerabilities being exploited in the wild.

Protect Vulnerable Omron PLCs

The vulnerabilities exist in several products and versions of the CS/CJ/CP-series Programmable Controllers. You can find the full list below. In order to protect yourself from attacks, Omron has provided countermeasures you can take:

  1. Enable the hardware switch to prohibit writing UM. (DIP switch on the front panel of the CPU Unit)
  2. Set UM read protection password and “Prohibit from overwriting to a protected program” option.

You can find detailed instructions for these countermeasures in Omron’s advisory. In case you are unable to take these countermeasures at this time, it also provides a number of mitigation measures you can take.

Affected Products and Versions

Product SeriesModelVersion
SYSMAC CJ-seriesCJ2H-CPU6[]-EIPAll versions
CJ2H-CPU6[]All versions
CJ2M-CPU[][]All versions
CJ1G-CPU[][]PAll versions
SYSMAC CS-seriesCS1H-CPU[][]HAll versions
CS1G-CPU[][]HAll versions
CS1D-CPU[][]HAAll versions
CS1D-CPU[][]HAll versions
CS1D-CPU[][]SAAll versions
CS1D-CPU[][]SAll versions
CS1D-CPU[][]PAll versions
SYSMAC CP-seriesCP2E-E[][]D[]-[]All versions
CP2E-S[][]D[]-[]All versions
CP2E-N[][]D[]-[]All versions
CP1H-X40D[]-[]All versions
CP1H-XA40D[]-[]All versions
CP1H-Y20DT-DAll versions
CP1L-EL20D[]-[]All versions
CP1L-EM[][]D[]-[]All versions
CP1L-L[][]D[]-[]All versions
CP1L-M[][]D[]-[]All versions
CP1E-E[][]D[]-[]All versions
CP1E-NA[][]D[]-[]All versions
[]: Wildcard represents 1 character

Discover Vulnerable PLCs

Our team has put together a report based on Omron’s list of vulnerable devices. Please note that OT scanning is only available in Lansweeper Cloud, so this report has been added to your Lansweeper Cloud installation. It will give you an overview of any potentially vulnerable Omron Programmable Controllers in your network. This way you have an actionable list of devices to start taking the necessary countermeasures to protect your network.

image 1