Published:2024/08/29  Last Updated:2024/09/20

JVN#08342147
WindLDR and WindO/I-NV4 store sensitive information in cleartext

Overview

WindLDR and WindO/I-NV4 provided by IDEC Corporation store sensitive information in cleartext form.

Products Affected

  • WindLDR Ver.9.1.0 and earlier
  • WindO/I-NV4 Ver.3.0.1 and earlier

Description

PLC programming software "WindLDR" and Operator Interfaces' Touchscreen Programming Software "WindO/I-NV4" provided by IDEC Corporation store sensitive information in cleartext form (CWE-312).

Impact

An attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:

  • WindLDR Ver.9.2.0
  • WindO/I-NV4 Ver.3.1.0

Vendor Status

Vendor Link
IDEC Corporation WindLDR and WindO/I-NV4 store sensitive information in cleartext (PDF)

References

  1. ICS Advisory | ICSA-24-263-03
    IDEC CORPORATION WindLDR and WindO/I-NV4

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 5.9
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Comment

Confidentiality(C) impact is accessed as primary, and Integrity(I) and Availability(A) impacts are assessed as secondary.

Credit

Yuki Meguro of Toinx Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-41716
JVN iPedia JVNDB-2024-000089

Update History

2024/09/20
Information under the section [References] was updated.