Details of VAR-202206-2042

ID

VAR-202206-2042

CVE

CVE-2022-31205

TITLE

Vulnerability related to plain text storage of important information in multiple OMRON Corporation products

Trust: 0.8

sources: JVNDB: JVNDB-2022-013963

DESCRIPTION

In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication. sysmac cs1 firmware, sysmac cj2m firmware, sysmac cj2h Several Omron Corporation products, including firmware, contain vulnerabilities related to the storage of important information in plain text.Information may be obtained. Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Trust: 1.71

sources: NVD: CVE-2022-31205 // JVNDB: JVNDB-2022-013963 // VULMON: CVE-2022-31205

AFFECTED PRODUCTS

vendor:	omron	model:	sysmac cp1h	scope:	lt	version:	1.30	Trust: 1.0
vendor:	omron	model:	sysmac cj2m	scope:	lt	version:	2.1	Trust: 1.0
vendor:	omron	model:	sysmac cp1e	scope:	lt	version:	1.30	Trust: 1.0
vendor:	omron	model:	sysmac cj2h	scope:	lt	version:	1.5	Trust: 1.0
vendor:	omron	model:	cp1w-cif41	scope:	eq	version:	-	Trust: 1.0
vendor:	omron	model:	sysmac cp1l	scope:	lt	version:	1.10	Trust: 1.0
vendor:	omron	model:	sysmac cs1	scope:	lt	version:	4.1	Trust: 1.0
vendor:	オムロン株式会社	model:	sysmac cp1h	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cs1	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cj2m	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cp1e	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cj2h	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	cp1w-cif41	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cp1l	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-013963 // NVD: CVE-2022-31205

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-31205
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-31205
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202206-2695
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-31205
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-31205
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-013963 // CNNVD: CNNVD-202206-2695 // NVD: CVE-2022-31205

PROBLEMTYPE DATA

problemtype:	CWE-312	Trust: 1.0
problemtype:	Plaintext storage of important information (CWE-312) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-013963 // NVD: CVE-2022-31205

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2695

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202206-2695

PATCH

title:

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203713

Trust: 0.6

sources: CNNVD: CNNVD-202206-2695

EXTERNAL IDS

db:	NVD	id:	CVE-2022-31205	Trust: 3.3
db:	ICS CERT	id:	ICSA-22-179-02	Trust: 2.5
db:	JVN	id:	JVNVU97111518	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-013963	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.3140	Trust: 0.6
db:	CS-HELP	id:	SB2022062925	Trust: 0.6
db:	CNNVD	id:	CNNVD-202206-2695	Trust: 0.6
db:	VULMON	id:	CVE-2022-31205	Trust: 0.1

sources: VULMON: CVE-2022-31205 // JVNDB: JVNDB-2022-013963 // CNNVD: CNNVD-202206-2695 // NVD: CVE-2022-31205

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02	Trust: 2.5
url:	https://www.forescout.com/blog/	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu97111518/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-31205	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.3140	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022062925	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-31205/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02	Trust: 0.6

sources: VULMON: CVE-2022-31205 // JVNDB: JVNDB-2022-013963 // CNNVD: CNNVD-202206-2695 // NVD: CVE-2022-31205

CREDITS

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202206-2695

SOURCES

db:	VULMON	id:	CVE-2022-31205
db:	JVNDB	id:	JVNDB-2022-013963
db:	CNNVD	id:	CNNVD-202206-2695
db:	NVD	id:	CVE-2022-31205

LAST UPDATE DATE

2024-08-14T13:01:51.374000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-013963	date:	2023-09-13T08:15:00
db:	CNNVD	id:	CNNVD-202206-2695	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2022-31205	date:	2023-08-08T14:22:24.967

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-013963	date:	2023-09-13T00:00:00
db:	CNNVD	id:	CNNVD-202206-2695	date:	2022-06-28T00:00:00
db:	NVD	id:	CVE-2022-31205	date:	2022-07-26T22:15:11.357