CVE-2022-31206

Name of the Vulnerable Software and Affected Versions Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18

Description The issue is related to the lack of cryptographic authentication in the Omron SYSMAC Nx product family PLCs. This allows an attacker to manipulate transmitted object code to the PLC and execute arbitrary machine code on the processor of the PLC's CPU module in the context of the runtime. The PLCs are programmed using the SYMAC Studio engineering software, which compiles IEC 61131-3 conformant POU code to native machine code for execution by the PLC's runtime. In some cases, an RTOS and hardware combination is used that could potentially allow for memory protection and privilege separation, limiting the impact of code execution.

Recommendations For Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18, consider implementing additional security measures to authenticate and verify the integrity of the code downloaded to the PLC, such as cryptographic authentication, to prevent manipulation of transmitted object code. As a temporary workaround, restrict access to the PLC's runtime environment to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.