ICS/OT

CISA Issues Advisory for High-Severity Vulnerabilities in Fuji Electric HMI Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an advisory to inform industrial organizations that some SCADA/HMI products made by Japanese electrical equipment company Fuji Electric are affected by potentially serious vulnerabilities.

Published

<p><strong><span><span>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an advisory to inform industrial organizations that some SCADA/HMI products made by Japanese electrical equipment company Fuji Electric are affected by potentially serious vulnerabilities.</span></span></strong></p>

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an advisory to inform industrial organizations that some SCADA/HMI products made by Japanese electrical equipment company Fuji Electric are affected by potentially serious vulnerabilities.

The impacted products are Tellus Lite V-Simulator and V-Server Lite. Telus and V-Server SCADA/HMI products are designed to help users monitor and operate their plants, including remote locations. CISA says the products are used worldwide, particularly in the critical manufacturing sector.

The vulnerabilities, reported to Fuji Electric by various researchers through Trend Micro’s Zero Day Initiative (ZDI) and CISA, have been described as buffer overflow, out-of-bounds read/write and uninitialized pointer issues that can be exploited for arbitrary code execution. An attacker could exploit the vulnerabilities by tricking the targeted user into opening a malicious project file.

According to CISA, the vulnerabilities affect Tellus Lite V-Simulator and V-Server Lite versions prior to 4.0.10.0, which should patch the flaws. This update was apparently released in October 2020.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

It’s worth noting that ZDI published advisories for some of these vulnerabilities in September 2020, after the vendor failed to release patches within a 120-day deadline. The advisories were published at the time with a “0day” status. ZDI will likely soon also make public the advisories describing the remaining vulnerabilities.

The public ZDI advisories reveal that the vulnerabilities are caused by “the lack of proper validation of user-supplied data,” which results in memory corruption, and can ultimately lead to remote code execution.

Related: Flaws Found in Fuji Electric Tool That Links Corporate PCs to ICS

Advertisement. Scroll to continue reading.

Related: No Patches for Critical Flaws in Fuji Electric Servo System, Drives

Related: Fuji Electric Patches Vulnerabilities in HMI Software

In this article:

Related Content

Cloud SCADA

ICS/OT

UK Government Releases Cloud SCADA Security Guidance

UK’s NCSC releases security guidance for OT organizations considering migrating their SCADA solutions to the cloud.

March 18, 2024

ICS/OT

Cyber Insights 2024: OT, ICS and IIoT

In an age of increasing geopolitical tensions caused by actual wars, and the threat of Chinese action against Taiwan, OT is a target that...

March 6, 2024

ICS/OT

Podcast: Palo Alto Networks Talks IT/OT Convergence

SecurityWeek interviews Del Rodillas, Senior Director of Product Management at Palo Alto Networks, about the integration of IT and OT in the ICS threat landscape.

January 31, 2024

ICS/OT

Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks

Seven vulnerabilities found in Rapid SCADA could be exploited to gain access to sensitive industrial systems, but they remain unpatched.

January 18, 2024

ICS/OT

Breaches by Iran-Affiliated Hackers Spanned Multiple U.S. States, Federal Agencies Say

The Municipal Water Authority of Aliquippa was just one of multiple organizations breached in the U.S. by Iran-linked "Cyber Av3ngers" hackers

December 2, 2023

ICS/OT

Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere

Members of Congress asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting CISA to warn other...

December 1, 2023

ICS/OT

Critical Infrastructure Stakeholders Gather for Day 2 of SecurityWeek’s 2023 ICS Cybersecurity Conference

SecurityWeek’s 2023 ICS Cybersecurity Conference continues in Atlanta, as hundreds of industrial cybersecurity stakeholders gather for Day 2 of the annual industrial cybersecurity conference.

October 25, 2023

ICS/OT

Watch Now: Exposing Common Myths of OT Cybersecurity

Join SecurityWeek and TXOne Networks for this webinar as we expose common misconceptions surrounding the security of Operational Technology (OT) and dive into the...

July 27, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version