Vulnerability Description
FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Omron | Cs1W-Eip21 Firmware | All versions |
| Omron | Cs1W-Eip21 | - |
| Omron | Cs1W-Spu01-V2 Firmware | All versions |
| Omron | Cs1W-Spu01-V2 | - |
| Omron | Cs1W-Spu02-V2 Firmware | All versions |
| Omron | Cs1W-Spu02-V2 | - |
| Omron | Cs1W-Etn21 Firmware | All versions |
| Omron | Cs1W-Etn21 | - |
| Omron | Cs1W-Clk Firmware | All versions |
| Omron | Cs1W-Clk | - |
| Omron | Cs1W-Fln22 Firmware | All versions |
| Omron | Cs1W-Fln22 | - |
| Omron | Cs1W-Drm21-V1 Firmware | All versions |
| Omron | Cs1W-Drm21-V1 | - |
| Omron | Cs1W-Nc271 Firmware | - |
| Omron | Cs1W-Nc271 | - |
| Omron | Cs1W-Nc471 Firmware | - |
| Omron | Cs1W-Nc471 | - |
| Omron | Cs1W-Ncf71 Firmware | - |
| Omron | Cs1W-Ncf71 | - |
Related Weaknesses (CWE)
References
- https://jvn.jp/en/ta/JVNTA91513661/Third Party Advisory
- https://jvn.jp/ta/JVNTA91513661/Third Party Advisory
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02Not ApplicableThird Party AdvisoryUS Government Resource
- https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdfVendor Advisory
- https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdfVendor Advisory
- https://www.us-cert.gov/ics/advisories/icsa-19-346-02Not ApplicableThird Party AdvisoryUS Government Resource
- https://www.us-cert.gov/ics/advisories/icsa-20-063-03Not ApplicableThird Party AdvisoryUS Government Resource
- https://jvn.jp/en/ta/JVNTA91513661/Third Party Advisory
- https://jvn.jp/ta/JVNTA91513661/Third Party Advisory
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02Not ApplicableThird Party AdvisoryUS Government Resource
- https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdfVendor Advisory
- https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdfVendor Advisory
- https://www.us-cert.gov/ics/advisories/icsa-19-346-02Not ApplicableThird Party AdvisoryUS Government Resource
- https://www.us-cert.gov/ics/advisories/icsa-20-063-03Not ApplicableThird Party AdvisoryUS Government Resource
FAQ
What is CVE-2023-27396?
CVE-2023-27396 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON prod...
How severe is CVE-2023-27396?
CVE-2023-27396 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-27396?
Check the references section above for vendor advisories and patch information. Affected products include: Omron Cs1W-Eip21 Firmware, Omron Cs1W-Eip21, Omron Cs1W-Spu01-V2 Firmware, Omron Cs1W-Spu01-V2, Omron Cs1W-Spu02-V2 Firmware.