Details of VAR-202206-2044

ID

VAR-202206-2044

CVE

CVE-2022-31204

TITLE

Vulnerability related to sending sensitive information in plain text in multiple OMRON Corporation products

Trust: 0.8

sources: JVNDB: JVNDB-2022-013964

DESCRIPTION

Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext. sysmac cs1 firmware, sysmac cj2m firmware, sysmac cj2h Several Omron Corporation products, including firmware, contain a vulnerability related to the transmission of sensitive information in plain text.Information may be obtained. Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Trust: 1.8

sources: NVD: CVE-2022-31204 // JVNDB: JVNDB-2022-013964 // VULHUB: VHN-422891 // VULMON: CVE-2022-31204

AFFECTED PRODUCTS

vendor:	omron	model:	sysmac cj2h	scope:	lt	version:	1.5	Trust: 1.0
vendor:	omron	model:	sysmac cp1l	scope:	lt	version:	1.10	Trust: 1.0
vendor:	omron	model:	sysmac cp1h	scope:	lt	version:	1.30	Trust: 1.0
vendor:	omron	model:	sysmac cj2m	scope:	lt	version:	2.1	Trust: 1.0
vendor:	omron	model:	cx-programmer	scope:	lt	version:	9.6	Trust: 1.0
vendor:	omron	model:	cp1w-cif41	scope:	eq	version:	-	Trust: 1.0
vendor:	omron	model:	sysmac cp1e	scope:	lt	version:	1.30	Trust: 1.0
vendor:	omron	model:	sysmac cs1	scope:	lt	version:	4.1	Trust: 1.0
vendor:	オムロン株式会社	model:	sysmac cp1h	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cs1	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cj2m	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	cx-programmer	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cp1e	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cj2h	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	cp1w-cif41	scope:	-	version:	-	Trust: 0.8
vendor:	オムロン株式会社	model:	sysmac cp1l	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-013964 // NVD: CVE-2022-31204

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-31204
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-202206-2692
value:	HIGH
Trust: 0.6

NVD:
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-31204
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-013964 // NVD: CVE-2022-31204 // CNNVD: CNNVD-202206-2692

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	Sending important information in clear text (CWE-319) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-422891 // JVNDB: JVNDB-2022-013964 // NVD: CVE-2022-31204

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2692

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202206-2692

CONFIGURATIONS

sources: NVD: CVE-2022-31204

PATCH

title:

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=203712

Trust: 0.6

sources: CNNVD: CNNVD-202206-2692

EXTERNAL IDS

db:	NVD	id:	CVE-2022-31204	Trust: 3.4
db:	ICS CERT	id:	ICSA-22-179-02	Trust: 2.6
db:	JVN	id:	JVNVU97111518	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-013964	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.3140	Trust: 0.6
db:	CS-HELP	id:	SB2022062924	Trust: 0.6
db:	CNNVD	id:	CNNVD-202206-2692	Trust: 0.6
db:	VULHUB	id:	VHN-422891	Trust: 0.1
db:	VULMON	id:	CVE-2022-31204	Trust: 0.1

sources: VULHUB: VHN-422891 // VULMON: CVE-2022-31204 // JVNDB: JVNDB-2022-013964 // NVD: CVE-2022-31204 // CNNVD: CNNVD-202206-2692

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02	Trust: 2.6
url:	https://www.forescout.com/blog/	Trust: 2.5
url:	https://jvn.jp/vu/jvnvu97111518/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-31204	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.3140	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022062924	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-31204/	Trust: 0.6

sources: VULHUB: VHN-422891 // VULMON: CVE-2022-31204 // JVNDB: JVNDB-2022-013964 // NVD: CVE-2022-31204 // CNNVD: CNNVD-202206-2692

CREDITS

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202206-2692

SOURCES

db:	VULHUB	id:	VHN-422891
db:	VULMON	id:	CVE-2022-31204
db:	JVNDB	id:	JVNDB-2022-013964
db:	NVD	id:	CVE-2022-31204
db:	CNNVD	id:	CNNVD-202206-2692

LAST UPDATE DATE

2023-12-18T11:41:26.676000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-422891	date:	2022-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-013964	date:	2023-09-13T08:15:00
db:	NVD	id:	CVE-2022-31204	date:	2022-08-04T14:59:59.737
db:	CNNVD	id:	CNNVD-202206-2692	date:	2022-08-10T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-422891	date:	2022-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2022-013964	date:	2023-09-13T00:00:00
db:	NVD	id:	CVE-2022-31204	date:	2022-07-26T22:15:11.317
db:	CNNVD	id:	CNNVD-202206-2692	date:	2022-06-28T00:00:00