Omron CX-Supervisor (Update A) (ICSA-18-290-01) – Product Used in the Energy Sector

January 31, 2019

The NCCIC has updated this advisory with information on how this vulnerability was discovered. NCCIC/ICS-CERT.

October 17, 2018

The NCCIC has released an advisory on improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, and incorrect type conversion or cast vulnerabilities in Omron CX-Supervisor. Versions 3.4.1.0 and prior are affected. Successful exploitation of these vulnerabilities could allow an attacker to execute code under the context of the application, corrupt objects, and force the application to read a value outside of an array. Omron has released Version 3.4.2 of CX-Supervisor to address the reported vulnerabilities. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of these vulnerabilities. NCCIC/ICS-CERT.