Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Panasonic Patches Flaws in PLC Programming Software

Panasonic has released an update for its FPWIN Pro application to patch several vulnerabilities identified by a researcher.

Panasonic has released an update for its FPWIN Pro application to patch several vulnerabilities identified by a researcher.

Panasonic FPWIN Pro is a programming software for the company’s FP series programmable logic controllers (PLCs). The product, developed by Panasonic’s industrial devices unit, is deployed in North America, Europe and Asia in the critical manufacturing, commercial facilities, and food and agriculture sectors.

Security researcher Steven Seeley of Source Incite discovered that the product is plagued by multiple vulnerabilities that can be exploited for remote code execution and to cause the application to crash.

Seeley reported his findings via the Zero Day Initiative (ZDI), which published separate advisories for each of the flaws. ICS-CERT has also published an advisory to briefly describe the vulnerabilities and their impact.

The researcher discovered two heap-based buffer overflow (CVE-2016-4499), uninitialized pointer access (CVE-2016-4498), type confusion (CVE-2016-4497), and multiple out-of-bounds write vulnerabilities (CVE-2016-4496). All of these issues have been assigned a medium severity rating.

The security holes can be exploited by an attacker who can convince the targeted user to open a malicious project file. While ICS-CERT’s advisory says the vulnerabilities can be leveraged to crash Panasonic’s FPWIN Pro software, ZDI says they can also be exploited for arbitrary code execution. ICS-CERT pointed out that the flaws don’t impact the systems controlled by the software.

Related: Registration for 2016 ICS Cyber Security Conference Now Open

“Crafting a working exploit for these vulnerabilities would be difficult. Social engineering is required to convince the user to accept the malformed project file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit,” ICS-CERT explained.

The flaws affect FPWIN Pro 5.x, FPWIN Pro 6.x, and FPWIN Pro 7.122 and prior versions. Panasonic was informed about the vulnerabilities in early February and the company addressed them on April 26 with the release of FPWIN Pro 7.130.

The vendor noted that version 5.x has reached end-of-support, and version 6.x will no longer be supported starting with September 2016. Users of these older versions have been advised to upgrade their products.

Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks

Related Reading: High Severity Flaw Found in Schneider PLC Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...

ICS/OT

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.