CVE-2023-27396

Q: What is the severity of CVE-2023-27396?

CVE-2023-27396 has a CVSS score of 9.8 (CRITICAL). CVE-2023-27396 affects OMRON FINS protocol implementations, allowing attackers to intercept plaintext communications and inject arbitrary commands without authentication. This enables remote code execution and system information disclosure on affected industrial control systems. All versions of multiple SYSMAC CPU Unit series are vulnerable.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2023-27396 affects OMRON FINS protocol implementations, allowing attackers to intercept plaintext communications and inject arbitrary commands without authentication. This enables remote code execution and system information disclosure on affected industrial control systems. All versions of multiple SYSMAC CPU Unit series are vulnerable.

💻 Affected Systems

Products:

SYSMAC CS-series CPU Units
SYSMAC CJ-series CPU Units
SYSMAC CP-series CPU Units
SYSMAC NJ-series CPU Units
SYSMAC NX1P-series CPU Units
SYSMAC NX102-series CPU Units
SYSMAC NX7 Database Connection CPU Units

Versions: All versions for most products, NX7 Database Connection CPU Units version 1.16 or later

Operating Systems: Not applicable - embedded industrial controllers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default configurations of FINS protocol implementation in listed products.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to production shutdown, equipment damage, or safety incidents through arbitrary command execution.

🟠

Likely Case

Unauthorized access to sensitive industrial data, manipulation of industrial processes, and potential production disruption.

🟢

If Mitigated

Limited impact if devices are isolated in properly segmented networks with strict access controls.

🌐 Internet-Facing: HIGH - Direct internet exposure would allow remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, lack of authentication and encryption enables easy exploitation within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required and protocol details are publicly documented, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf

Restart Required: No

Instructions:

No firmware patch available. Follow vendor workarounds including network segmentation, firewall rules, and disabling unnecessary services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in dedicated industrial control system networks with strict access controls.

Firewall Rules

all

Implement firewall rules to restrict FINS protocol traffic (default port 9600) to authorized systems only.

🧯 If You Can't Patch

Implement network segmentation to isolate affected devices from untrusted networks
Deploy intrusion detection systems to monitor for FINS protocol anomalies and unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if device model matches affected products list and verify FINS protocol is enabled on port 9600.

Check Version:

Check device model and firmware version through OMRON programming software or device display.

Verify Fix Applied:

Verify network segmentation is in place and firewall rules block unauthorized FINS traffic.

📡 Detection & Monitoring

Log Indicators:

Unauthorized FINS protocol connections
Unexpected command executions on industrial controllers
Multiple failed authentication attempts (though protocol lacks authentication)

Network Indicators:

FINS protocol traffic from unauthorized IP addresses
Unusual FINS command patterns
Traffic to port 9600 from non-industrial networks

SIEM Query:

source_port:9600 OR dest_port:9600 AND (NOT src_ip IN [authorized_industrial_ips])

📊 Metadata

CVE ID: CVE-2023-27396

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: June 19, 2023

Last Updated: December 24, 2024

🔗 References

https://jvn.jp/en/ta/JVNTA91513661/ Third Party Advisory
https://jvn.jp/ta/JVNTA91513661/ Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 Not Applicable,Third Party Advisory,US Government Resource
https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf Vendor Advisory
https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-346-02 Not Applicable,Third Party Advisory,US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-063-03 Not Applicable,Third Party Advisory,US Government Resource
https://jvn.jp/en/ta/JVNTA91513661/ Third Party Advisory
https://jvn.jp/ta/JVNTA91513661/ Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02 Not Applicable,Third Party Advisory,US Government Resource
https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf Vendor Advisory
https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-346-02 Not Applicable,Third Party Advisory,US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-063-03 Not Applicable,Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cj2h Cpu64 Eip Firmware by Omron

Cj2h Cpu64 Firmware by Omron

Cj2h Cpu65 Eip Firmware by Omron

Cj2h Cpu65 Firmware by Omron

Cj2h Cpu66 Eip Firmware by Omron

Cj2h Cpu66 Firmware by Omron

Cj2h Cpu67 Eip Firmware by Omron

Cj2h Cpu67 Firmware by Omron

Cj2h Cpu68 Eip Firmware by Omron

Cj2h Cpu68 Firmware by Omron

Cj2m Cpu11 Firmware by Omron

Cj2m Cpu12 Firmware by Omron

Cj2m Cpu13 Firmware by Omron

Cj2m Cpu14 Firmware by Omron

Cj2m Cpu15 Firmware by Omron

Cj2m Cpu31 Firmware by Omron

Cj2m Cpu32 Firmware by Omron

Cj2m Cpu33 Firmware by Omron

Cj2m Cpu34 Firmware by Omron

Cj2m Cpu35 Firmware by Omron

Cj2m Md211 Firmware by Omron

Cj2m Md212 Firmware by Omron

Cp1e E10dr A Firmware by Omron

Cp1e E10dr D Firmware by Omron

Cp1e E10dt A Firmware by Omron

Cp1e E10dt D Firmware by Omron

Cp1e E10dt1 A Firmware by Omron

Cp1e E10dt1 D Firmware by Omron

Cp1e E14dr A Firmware by Omron

Cp1e E14sdr A Firmware by Omron

Cp1e E20dr A Firmware by Omron

Cp1e E20sdr A Firmware by Omron

Cp1e E30dr A Firmware by Omron

Cp1e E30sdr A Firmware by Omron

Cp1e E40dr A Firmware by Omron

Cp1e E40sdr A Firmware by Omron

Cp1e E60sdr A Firmware by Omron

Cp1e N14dr A Firmware by Omron

Cp1e N14dr D Firmware by Omron

Cp1e N14dt A Firmware by Omron

Cp1e N14dt D Firmware by Omron

Cp1e N14dt1 A Firmware by Omron

Cp1e N14dt1 D Firmware by Omron

Cp1e N20dr A Firmware by Omron

Cp1e N20dr D Firmware by Omron

Cp1e N20dt A Firmware by Omron

Cp1e N20dt D Firmware by Omron

Cp1e N20dt1 A Firmware by Omron

Cp1e N20dt1 D Firmware by Omron

Cp1e N30dr A Firmware by Omron

Cp1e N30dr D Firmware by Omron

Cp1e N30dt A Firmware by Omron

Cp1e N30dt D Firmware by Omron

Cp1e N30dt1 A Firmware by Omron

Cp1e N30dt1 D Firmware by Omron

Cp1e N30s1dr A Firmware by Omron

Cp1e N30s1dt D Firmware by Omron

Cp1e N30s1dt1 D Firmware by Omron

Cp1e N30sdr A Firmware by Omron

Cp1e N30sdt D Firmware by Omron

Cp1e N30sdt1 D Firmware by Omron

Cp1e N40dr A Firmware by Omron

Cp1e N40dr D Firmware by Omron

Cp1e N40dt A Firmware by Omron

Cp1e N40dt D Firmware by Omron

Cp1e N40dt1 A Firmware by Omron

Cp1e N40dt1 D Firmware by Omron

Cp1e N40s1dr A Firmware by Omron

Cp1e N40s1dt D Firmware by Omron

Cp1e N40s1dt1 D Firmware by Omron

Cp1e N40sdr A Firmware by Omron

Cp1e N40sdt D Firmware by Omron

Cp1e N40sdt1 D Firmware by Omron

Cp1e N60dr A Firmware by Omron

Cp1e N60dr D Firmware by Omron

Cp1e N60dt A Firmware by Omron

Cp1e N60dt D Firmware by Omron