OMRON NJ/NX series vulnerable to path traversal
Overview
OMRON NJ/NX series contain a path traversal vulnerability.
Products Affected
- Machine Automation Controller NJ-series
- NJ101-[][][][], NJ301-[][][][], NJ501-1[]0[]
- Ver.1.64.05 and earlier
- Lot No. 30924(September 30, 2024) and earlier(*1)
- Ver.1.64.05 and earlier
- NJ501-1[]2[], NJ501-1340, NJ501-4[][][], NJ501-5300, NJ501-R[][][]
- Ver.1.64.04 and earlier
- Lot No.30924(September 30, 2024) and earlier(*1)
- Ver.1.64.04 and earlier
Refer to the developer’s advisory “Appendix” section regarding how to check the affected versions.
(*1) Refer to “ID Information Indication” section of the manual “NJ-series CPU unit Hardware User’s Manual (W500)” regarding how to check Lot No. - NJ101-[][][][], NJ301-[][][][], NJ501-1[]0[]
- Machine Automation Controller NX-series
- NX1P2-[][][][][][], NX1P2-[][][][][][]1
- Ver.1.64.04 and earlier
- Lot No.19Y24(November 19, 2024) and earlier(*2)
- Ver.1.64.04 and earlier
- NX1P2-[][][][][][], NX1P2-[][][][][][]1
(*2) Refer to “ID Information Indication” section of the manual “NX1P2 CPU Unit User’s Manual (Hardware) (W578)” regarding how to check Lot No.
As for the details, refer to the information provided by the developer.
Description
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-12083).
Impact
An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
As for how to obtain the update or how to apply the update, refer to the information provided by the developer.
Credit
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.