漏洞关键信息 漏洞编号: JVN#92279973 漏洞名称: Multiple vulnerabilities in IDEC PLCs 发布时间: 2021/12/24 最后更新时间: 2022/01/07 Products Affected CVE-2021-37400, CVE-2021-37401 - FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier - FC6B Series MICROSmart All-in-One CPU module v2.31 and earlier - FC6A Series MICROSmart Plus CPU module v1.91 and earlier - FC6B Series MICROSmart Plus CPU module v2.31 and earlier - FT1A Series SmartAxix Pro/Lite v2.31 and earlier - WindLDR v8.19.1 and earlier - WindEDIT v1.3.1 and earlier - Data File Manager v2.12.1 and earlier CVE-2021-20826, CVE-2021-20827 - FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier - FC6A Series MICROSmart Plus CPU module v1.91 and earlier - WindLDR v8.19.1 and earlier - WindEDIT Lite v1.3.1 and earlier - Data File Manager v2.12.1 and earlier Description Unprotected transport of credentials (CVE-523) - CVE-2021-37400 Plaintext storage of a password (CVE-256) - CVE-2021-37401 Unprotected transport of credentials (CVE-523) - CVE-2021-20826 Plaintext storage of a password (CVE-256) - CVE-2021-20827 Impact An attacker may obtain the user credentials. The PLC user program may be uploaded, altered, and/or downloaded. Manipulation of the PLC output and/or suspension of the PLC may be conducted. Solution Update the software: - FC6A Series MICROSmart All-in-One CPU module v2.40 and later - FC6B Series MICROSmart All-in-One CPU module v2.40 and later - FC6A Series MICROSmart Plus CPU module v2.00 and later - WindLDR v8.20.0 and later - WindEDIT Lite v1.4.0 and later - Data File Manager v2.13.0 and later Apply workarounds: - Restrict network appropriately. - Restrict the devices which can access PLCs. - Manage ZLD files appropriately. References 1. ICS Advisory (ICSA-22-006-03) IDEC PLCs Vulnerability Analysis by JPCERT/CC CVEs were assigned by MITRE and JPCERT/CC as requested by Khalid Ansari. Credit Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation.