GRI

ICS Advisory: Omron Engineering Software Zip-Slip

News Cybersecurity English Guidance
Date: 19th Sep, 2023 Source: Cybersecurity and Infrastructure Security Agency Country: USA Original Source

Brief

Summary:

A vulnerability has been identified in Omron's Sysmac Studio and NX-IO Configurator software, affecting versions 1.54 and prior. The vulnerability is a path traversal issue (CVE-2018-1002205) with a CVSS v3 score of 5.5. An attacker could potentially overwrite files on a system by exploiting this vulnerability.

OMRON recommends various general mitigation measures to minimize the risk of exploitation, including anti-virus protection, security measures to prevent unauthorized access, data input and output protection, and data recovery. CISA also recommends minimizing network exposure, using firewalls and VPNs, and performing proper impact analysis and risk assessment. No public exploitation has been reported to CISA at this time.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 5.5
  • ATTENTION: Low attack complexity
  • Vendor: Omron
  • Equipment: Sysmac Studio, NX-IO Configurator
  • Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to overwrite files on a system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Omron engineering software are affected:

  • Sysmac Studio: version 1.54 and prior
  • NX-IO Configurator: version 1.22 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, which could allow attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry mishandled during extraction. This vulnerability is also known as “Zip-Slip.”

CVE-2018-1002205 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to CISA. Michael Heinzl reported the Zip-Slip vulnerability to JPCERT/CC.

4. MITIGATIONS

OMRON recommends the following general mitigation measures to minimize the risk of vulnerability exploitation:

  • Anti-virus protection:
    • Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protections. 
  • Security measures to prevent unauthorized access:
    • Minimize connection of control systems and equipment to open networks so untrusted devices will be
      unable to access them.
    • Implement firewalls (by shutting down unused communications ports, limiting communications hosts,
      etc.) and isolate them from the IT network.
    • Use a virtual private network (VPN) for remote access to control systems and equipment.
    • Use strong passwords and change them frequently.
    • Install physical controls so only authorized personnel can access control systems and equipment.
    • Scan for viruses to ensure safety of any USB drives or similar devices before connecting them to
      systems and devices.
    • Enforce multifactor authentication whenever possible of all devices with remote access to control
      systems and equipment.

  • Data input and output protection:

    • Perform process validation, such as backup validation or range checks, to cope with unintentional
      modification of input/output data to control systems and devices.

  • Data recovery:

    • Periodical data backup and maintenance to prevent data loss.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • September 19, 2023: Initial Publication

Highlights content goes here...

Summary:

View CSAF: Omron Sysmac Studio and NX-IO Configurator Vulnerability

Executive Summary:
The View CSAF provides information on a vulnerability in Omron’s Sysmac Studio and NX-IO Configurator software. The vulnerability, a path traversal vulnerability, has a CVSS v3 score of 5.5 and is assigned CVE-2018-1002205. Successful exploitation could allow an attacker to overwrite files on a system with low attack complexity.

Risk Evaluation:
The risk associated with this vulnerability is high, as an attacker could gain unauthorized access to system files and potentially cause data loss or corruption.

Technical Details:
The vulnerability affects versions 1.54 and prior of Omron’s Sysmac Studio and versions 1.22 and prior of the NX-IO Configurator. The vulnerability is caused by improper limitation of a pathname to a restricted directory, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry mishandled during extraction.

Mitigations:
To minimize the risk of vulnerability exploitation, Omron recommends implementing general mitigation measures, including anti-virus protection, security measures to prevent unauthorized access, data input and output protection, and data recovery. CISA also provides recommended practices for control systems security, including minimizing network exposure, locating control systems behind firewalls, and using more secure remote access methods.

Update History:
The initial publication of this View CSAF was on September 19, 2023.

Overall, this vulnerability poses a significant risk to organizations that rely on Omron’s Sysmac Studio and NX-IO Configurator software, and it is essential to take proactive measures to mitigate the risk of exploitation.

Cybersecurity and Infrastructure Security Agency

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Medical device salesperson reporting procedure guide
Date: 5th Feb, 2025 Source: Ministry of Health and Welfare (MOHW) Country: South Korea
News Healthcare & Pharma Guidance
​The EBA issues an Opinion in response to the European Commission’s proposed amendments to the EBA draft technical standards on conflicts of interests for issuers of asset-referenced tokens
Date: 5th Feb, 2025 Source: European Banking Authority (EBA) Country: European Union
News Financial services Guidance
Low risk waste positions: electrical equipment, including constituent parts and accessories
Date: 5th Feb, 2025 Source: Environment Agency (EA) Country: United Kingdom
News Environment Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales