Sign-up

ID

VAR-202208-2379


TITLE

Omron CX-One CX-Programmer CXP File Parsing Use-After-Free Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-1150

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Omron CX-One. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of CXP files in the CX-Programmer module. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.

Trust: 0.7

sources: ZDI: ZDI-22-1150

AFFECTED PRODUCTS

vendor:omronmodel:cx-onescope: - version: -

Trust: 0.7

sources: ZDI: ZDI-22-1150

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: ZDI-22-1150
value: HIGH

Trust: 0.7

ZDI: ZDI-22-1150
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-1150

PATCH

title:Omron has issued an update to correct this vulnerability.url:https://www.ia.omron.com/product/tool/26/cxone/e4_doc.html

Trust: 0.7

sources: ZDI: ZDI-22-1150

EXTERNAL IDS

db:ZDI_CANid:ZDI-CAN-15341

Trust: 0.7

db:ZDIid:ZDI-22-1150

Trust: 0.7

sources: ZDI: ZDI-22-1150

REFERENCES

url:https://www.ia.omron.com/product/tool/26/cxone/e4_doc.html

Trust: 0.7

sources: ZDI: ZDI-22-1150

CREDITS

xina1i

Trust: 0.7

sources: ZDI: ZDI-22-1150

SOURCES

db:ZDIid:ZDI-22-1150

LAST UPDATE DATE

2023-02-15T22:27:36.810000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-1150date:2022-08-23T00:00:00

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-1150date:2022-08-23T00:00:00