Omron’s NJ/NX-Series Machine Automation Controllers Vulnerabilities

By Jonathan Means on December 31, 2022

Executive Summary

On April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) to warn that specific advanced persistent threat (APT) actors have exhibited the capability to gain complete system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including Omron’s NX and NJ-series controllers[7]. In addition, on November 10, CISA published two advisories describing three vulnerabilities affecting the NJ and NX-series controllers identified by Reid Wightman of Dragos. Dragos has also identified malware that uses one of these vulnerabilities to exploit operational technology networks further and possibly cause significant damage to components or processes. As Omron has released patches and provided mitigation techniques to prevent the exploitation of these vulnerabilities, all organizations using the affected controllers must protect themselves as soon as possible.

Background

Earlier this year, Reid Wightman, a lead vulnerability researcher at the industrial cybersecurity firm Dragos, identified three flaws affecting Omron’s NX and NJ-series controllers[5]. The NX and NJ-series Machine Automation Controllers (MAC) are powerful controllers that combine the functionality of a primary logic controller (PLC) and a motion controller into one package. These PLCs support various machine applications, from rotating equipment to robotic arms. They also include safety controllers responsible for human safety, such as panic stop buttons at conveyor systems and rotating equipment. Omron notified the public of these vulnerabilities in July 2022 and announced patch releases in July and October 2022[5].

Vulnerabilities

The three vulnerabilities disclosed by Reid Wightman were all assigned a common vulnerabilities and exposures (CVE) number. The first vulnerability, CVE-2022-34151, the use of hardcoded credentials, was given a common vulnerability scoring system (CVSS) v3 base score of 9.8. The exposure aligns with common weakness enumeration (CWE)-798 and, if exploited, may allow a remote attacker to successfully obtain user credentials by analyzing the affected product to access the controller[2].

The second vulnerability, authentication bypass by capture-replay, was assigned to CVE-2022-33208, which corresponds with CWE-294. The CWE highlights that an attacker who can capture and analyze the communication between the affected controllers and either automation software Sysmac Studio or a programmable terminal (PT) can obtain sensitive information that would allow the attacker to bypass authentication to access the controller[2]. As a result, CVE-2022-33208 was given a CVSS v3 base score of 7.5.

The final exposure, CVE-2022-33971, active debug code, aligns with CWE-489. This assignment spotlights that if an attacker could analyze the communication of the affected product and perform capture-replay, they could find unintended entry points into the affected product and cause a denial-of-service condition or execute a malicious program[1]. In consequence, CVE-2022-33971 was assigned a CVSS v3 base score of 8.3.

Significance

APT actors consistently develop custom-made tools for targeting ICS/SCADA devices, enabling them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network[7]. Unfortunately, Omron PLCs have become one of the known primary targets. For example, a sophisticated ICS framework, Pipedream, targets the critical hardcoded credentials flaw(CVE-2022-34151) in Omron PLCs. Dragos revealed in late October that one of Pipedream’s components, BADOMEN, exploits CVE-2022-34151 to interact with an HTTP server on targeted Omron NX/NJ controllers[5][8]. This is significant because BadOmen can be used to manipulate and cause disruption to physical processes, which can lead to disastrous consequences. As a result, CISA and Omron have released suggested mitigation techniques and patches, which should be applied to all PLCs and OT networks to help protect companies and critical infrastructure.

Sources

[1] Cybersecurity and Infrastructure Security Agency. (2022 11 10). ICS Advisory (ICSA-22-314-07). Retrieved December 1, 2022, from https://www.cisa.gov/uscert/ics/advisories/icsa-22-314-07

[2] Cybersecurity and Infrastructure Security Agency. (2022 11 10). ICS Advisory (ICSA-22-314-08). Retrieved December 1, 2022, from https://www.cisa.gov/uscert/ics/advisories/icsa-22-314-08

[3] Omron. (2022 07 01). Authentication bypass vulnerabilities in communications functions of NJ/NX-series Machine Automation Controllers. Retrieved on December 1, 2022, from https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf

[4] Omron. (2022 07 01). Malicious program execution vulnerability in NJ/NXseries Machine Automation Controllers. Retrieved on December 1, 2022, from https://www.ia.omron.com/product/vulnerability/OMSR-2022-002_en.pdf

[5] Kovacs, E. (2022 11 18). Omron PLC Vulnerability Exploited by Sophisticated ICS Malware. Retrieved December 1, 2022, from https://www.securityweek.com/omron-plc-vulnerability-exploited-sophisticated-ics-malware

[6] Kovacs, E. (2022 04 14). Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities. Retrieved December 1, 2022, from https://www.securityweek.com/russia-linked-pipedreamincontroller-ics-malware-designed-target-energy-facilities

[7] Cybersecurity and Infrastructure Security Agency. (2022 4 13). APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved December 1, 2022, from https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

[8] Dragos. (2022 10 27). Analyzing PIPEDREAM: Results from Runtime Testing. Retrieved December 1, 2022, from https://www.dragos.com/blog/analyzing-pipedream-results-from-runtime-testing/