A critical vulnerability has not received the attention it deserves
A critical vulnerability affecting Omron products has been exploited by a sophisticated piece of malware designed to target industrial control systems (ICS), but it has not received the attention it deserves.
On November 10, the US Cybersecurity and Infrastructure Security Agency (CISA) published two advisories describing three vulnerabilities affecting NJ and NX-series controllers and software made by Japanese electronics giant Omron.
One of the advisories describes CVE-2022-33971, a high-severity flaw that can allow an attacker who can access the targeted Omron programmable logic controller (PLC) to cause a denial-of-service (DoS) condition or execute malicious programs.
The second advisory describes CVE-2022-34151, a critical hardcoded credentials vulnerability that can be used to access Omron PLCs, and CVE-2022-33208, a high-severity issue that can be used to obtain sensitive information that could allow hackers to bypass authentication and access the controller.
Omron released advisories for these vulnerabilities in July, with patches being announced in July and October.
Reid Wightman, lead vulnerability researcher at industrial cybersecurity firm Dragos, has been credited for disclosing these flaws.
Wightman told SecurityWeek that the affected PLCs are used for a wide range of applications, from rotating equipment to robotic arms, and they include safety controllers that can be responsible for human safety, such as panic stop buttons at conveyor systems and rotating equipment.
Wightman explained that network access to the PLC is required to exploit these vulnerabilities. While it’s highly unrecommended to make these controllers available on the internet, the Shodan search engine does show a few dozen instances of the affected Omron PLCs being exposed on the web. The exposed devices are located around the world, with the highest percentages seen in Norway, Australia and Taiwan.
“Real-world impact varies based on what the controller is actually doing,” the researcher said. “An attacker may use the most significant of the vulnerabilities to persist on the controller, where they may modify the PLCs running logic at any time. This could allow them to turn on and off pumps, lights, or other equipment, against the wishes of the operator. In the case of safety systems, this may be used to prevent safety operations from happening – imagine pressing the panic stop button, and it does not do anything.”
While the advisories published by CISA typically describe theoretical risks, Wightman pointed out that CVE-2022-34151 has actually been targeted by a sophisticated ICS attack framework known as Pipedream and Incontroller, whose existence came to light in April.
CISA and other government agencies at the time warned organizations about Pipedream targeting Schneider Electric and Omron PLCs, as well as OPC UA servers. At the time it was believed that the malware had only been abusing native functionality rather than exploiting vulnerabilities in targeted products.
Dragos, which has conducted an in-depth analysis of Pipedream, tracks the threat actor behind it as Chernovite, which it believes to be a state-sponsored group. Others have linked the group to Russia.
Dragos revealed in late October that one of Pipedream’s components, named BadOmen, has been exploiting CVE-2022-34151 to interact with an HTTP server on targeted Omron NX/NJ controllers.
BadOmen can be used to manipulate and cause disruption to physical processes. In the future, the malware may also be able to target safety controllers, similar to the Triton ICS malware, Dragos said in its analysis.
Not many ICS vulnerabilities are actually exploited in attacks and it seems that the ones that do get exploited do not get the attention they deserve.
Omron’s advisory does not highlight CVE-2022-34151 and does not mention anything about exploitation in the wild.
CISA did mention that the advisory describing two of the Omron vulnerabilities is related to the April alert on ICS hacking tools, but the agency does not highlight CVE-2022-34151 in any way and the mention about the previous alert is buried in the advisory. CISA’s Known Exploited Vulnerabilities catalog does not include CVE-2022-34151.
It’s unclear if the US government or the vendor have sent out private notifications for this vulnerability, but the public alerts and advisories have failed to warn organizations about the flaw’s true potential impact.