1. EXECUTIVE SUMMARY
- CVSS v3 5.5
- ATTENTION: Low attack complexity
- Vendor: Omron
- Equipment: Sysmac Studio, NX-IO Configurator
- Vulnerability: Path Traversal
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to overwrite files on a system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Omron engineering software are affected:
- Sysmac Studio: version 1.54 and prior
- NX-IO Configurator: version 1.22 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, which could allow attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry mishandled during extraction. This vulnerability is also known as “Zip-Slip.”
CVE-2018-1002205 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Reid Wightman of Dragos reported this vulnerability to CISA. Michael Heinzl reported the Zip-Slip vulnerability to JPCERT/CC.
4. MITIGATIONS
OMRON recommends the following general mitigation measures to minimize the risk of vulnerability exploitation:
- Anti-virus protection:
- Protect any PC with access to the control system against malware and ens
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article:
- Protect any PC with access to the control system against malware and ens