SB2024083016 - Multiple vulnerabilities in IDEC Programmable Logic Controllers

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Generation of Predictable Numbers or Identifiers (CVE-ID: CVE-2024-28957)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to generation of predictable numbers or identifiers. A remote attacker can predict some packet header IDs of the device and interfere communications.

2) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-41927)

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. An attacker with physical access can gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/vu/JVNVU96959731/index.html
• https://us.idec.com/media/24-RD-0256-EN.pdf
• https://jvn.jp/en/vu/JVNVU96959731/index.html"
• https://jvn.jp/en/vu/JVNVU96959731/index.html</a></p><p>
• https://us.idec.com/media/24-RD-0256-EN.pdf</p><p><br></p>