CVE-2022-31204 – Omron PLCs transmit passwords in cleartext when... (How to Fix)

Q: What is the severity of CVE-2022-31204?

CVE-2022-31204 has a CVSS score of 7.5 (HIGH). Omron PLCs transmit passwords in cleartext when setting or clearing UM Protection, allowing attackers to intercept credentials. This affects Omron CS, CJ, and CP series PLCs used in industrial control systems. Attackers can capture passwords to bypass protection mechanisms and perform unauthorized engineering operations.

📋 TL;DR

Omron PLCs transmit passwords in cleartext when setting or clearing UM Protection, allowing attackers to intercept credentials. This affects Omron CS, CJ, and CP series PLCs used in industrial control systems. Attackers can capture passwords to bypass protection mechanisms and perform unauthorized engineering operations.

💻 Affected Systems

Products:

Omron CS series PLCs
Omron CJ series PLCs
Omron CP series PLCs

Versions: All versions through 2022-05-18

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when UM Protection feature is used. The FINS protocol transmits passwords in cleartext regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture passwords, bypass protection, and upload malicious logic to PLCs, potentially causing physical damage, production disruption, or safety incidents in industrial environments.

🟠

Likely Case

Attackers intercept passwords during network transmission and gain unauthorized access to modify PLC logic or steal intellectual property from engineering projects.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential credential exposure without ability to reach PLCs or execute unauthorized operations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to capture FINS protocol traffic. No authentication needed to intercept cleartext passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02

Restart Required: No

Instructions:

No firmware patch available. Apply workarounds and implement compensating controls.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLCs in separate network segments with strict access controls

VPN/Encrypted Tunnels

all

Use encrypted communication channels for all PLC access

🧯 If You Can't Patch

Implement strict network access controls to limit who can communicate with PLCs
Monitor network traffic for FINS protocol commands and alert on suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if using Omron CS/CJ/CP series PLCs and if FINS protocol transmits Program Area Protect/Clear commands without encryption

Check Version:

Check PLC firmware version through engineering software (CX-Programmer or similar)

Verify Fix Applied:

Verify network traffic analysis shows no cleartext password transmission in FINS protocol

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts on PLCs
Unauthorized engineering tool connections

Network Indicators:

FINS protocol traffic containing Program Area Protect/Clear commands
Cleartext password strings in network captures

SIEM Query:

Network traffic containing FINS protocol commands with password strings

📊 Metadata

CVE ID: CVE-2022-31204

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-319

Published: July 26, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 Third Party Advisory,US Government Resource
https://www.forescout.com/blog/ Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 Third Party Advisory,US Government Resource
https://www.forescout.com/blog/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31204, you might also want to check these: