Japanese electrical equipment company Fuji Electric has released an update for one of its human-machine interface (HMI) products to address several vulnerabilities.
The affected product is the Fuji Electric Monitouch V-SFT, an application that allows organizations to configure their HMI screens. The software is used worldwide in the critical manufacturing and energy sectors.
ICS-CERT informed organizations on Thursday that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management vulnerabilities that can be exploited to execute arbitrary code and escalate privileges.
The security holes were reported to the vendor by researchers Ariele Caltabiano (aka kimiya) and Fritz Sands through Trend Micro’s Zero Day Initiative (ZDI) in September 2016.
According to ZDI, the buffer overflow flaws, which allow a remote attacker to cause a crash or execute arbitrary code in the context of the targeted process, can be exploited by getting the targeted user to visit a malicious web page or open a malicious file.
The vulnerabilities, tracked as CVE-2017-9659 and CVE-2017-9660, exist due to the way the application parses V8 project files and is caused by the lack of proper validation for the length of user-supplied data prior to copying it to a fixed-length buffer.
While ZDI has classified the buffer overflows as medium severity bugs with a CVSS score of 6.8, ICS-CERT has rated the issues as high severity with a CVSS score of 7.3.
Related: Learn More at SecurityWeek’s ICS Cyber Security Conference
The third type of vulnerability affecting Fuji Electric’s Monitouch V-SFT is less severe. It allows a local attacker who has the ability to execute low-privileged code to escalate their permissions.
“The specific flaw exists within the configuration of Monitouch V-SFT. The software is installed with weak access controls on the executable files. An attacker can leverage this vulnerability to execute code in the context of any user of the software,” ZDI said in its advisory.
ICS-CERT says all these vulnerabilities have been patched by the vendor with the release of Monitouch V-SFT 5.4.43.0. In addition to applying the update, the agency has advised organizations to take measures to limit access to control systems.
Related: Critical Vulnerabilities Found in Mitsubishi HMI Tool
Related: Average Patching Time for SCADA Flaws Is 150 Days
Related: Security Firm Discloses Unpatched Flaws in Schneider HMI Product
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
