Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws Found in Fuji Electric Tool That Links Corporate PCs to ICS

Several vulnerabilities rated “high severity” have been discovered by researchers in Fuji Electric V-Server. The vendor has released updates that should address the flaws.

The existence of the security holes, all of which could allow a remote attacker to execute arbitrary code, was made public this week when ICS-CERT published two advisories.

Several vulnerabilities rated “high severity” have been discovered by researchers in Fuji Electric V-Server. The vendor has released updates that should address the flaws.

The existence of the security holes, all of which could allow a remote attacker to execute arbitrary code, was made public this week when ICS-CERT published two advisories.

Fuji Electric V-Server is a tool that allows organizations to access programmable logic controllers (PLCs) located in the plant from PCs located on the corporate network. The two systems are linked over Ethernet via the Monitouch human-machine interfaces (HMI) that are used to monitor the PLCs. ICS-CERT says the product is used worldwide, mainly in the critical manufacturing sector.

Serious vulnerabilities found in Fuji Electric V-Server

According to ICS-CERT, Fuji Electric V-Server is affected by use-after-free, untrusted pointer dereference, heap-based buffer overflow, out-of-bounds write, integer underflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities that may allow remote code execution, which could lead to a denial-of-service (DoS) condition or information disclosure.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

A separate advisory from ICS-CERT describes a high severity buffer overflow affecting V-Server Lite. The flaw can be exploited for code execution – and again it can lead to a DoS condition or information leakage – using specially crafted project files.

All the vulnerabilities have been patched by Fuji Electric with the release of version 4.0.4.0.

The V-Server vulnerabilities were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) by Steven Seeley of Source Incite. The flaw affecting the Lite version was identified by Ariele Caltabiano (aka kimiya) and also reported to Fuji Electric via ZDI.

ICS-CERT warned that public exploits are available for some of the vulnerabilities. This may refer to the fact that ZDI has published more than a dozen advisories describing security holes found by Seeley and Caltabiano in Fuji Electric V-Server. The ZDI advisories were published just as this article was being written – several hours after ICS-CERT released its own advisories – but they do not contain any technical information on the flaws.

According to the ZDI advisories, Seeley reported the vulnerabilities to the vendor in March 2018, while Caltabiano did so in June.

ZDI says the flaws “exist within the parsing of a VPR file” and they are caused by either the lack of validating the existence of an object prior to performing operations on that object, or the lack of proper validation for user-supplied data.

While the ICS-CERT advisories assign a “high severity” rating to the vulnerabilities, the ZDI advisories describe them as “medium severity” with a CVSS score of 6.8. The weakness found by Caltabiano has a CVSS score of 9.3 (critical) in the ZDI advisory.

Vulnerabilities affecting products that connect the corporate network to industrial control systems (ICS) can pose a serious threat since that is how many threat actors attempt to make their way onto sensitive systems.

A study conducted recently by Positive Technologies showed that in many organizations hackers can easily gain access to industrial environments from the corporate network.

Related: Five Threat Groups Target Industrial Systems

Related: Phishing Campaign Targets 400 Industrial Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.