Panasonic has released an update for its FPWIN Pro application to patch several vulnerabilities identified by a researcher.
Panasonic FPWIN Pro is a programming software for the company’s FP series programmable logic controllers (PLCs). The product, developed by Panasonic’s industrial devices unit, is deployed in North America, Europe and Asia in the critical manufacturing, commercial facilities, and food and agriculture sectors.
Security researcher Steven Seeley of Source Incite discovered that the product is plagued by multiple vulnerabilities that can be exploited for remote code execution and to cause the application to crash.
Seeley reported his findings via the Zero Day Initiative (ZDI), which published separate advisories for each of the flaws. ICS-CERT has also published an advisory to briefly describe the vulnerabilities and their impact.
The researcher discovered two heap-based buffer overflow (CVE-2016-4499), uninitialized pointer access (CVE-2016-4498), type confusion (CVE-2016-4497), and multiple out-of-bounds write vulnerabilities (CVE-2016-4496). All of these issues have been assigned a medium severity rating.
The security holes can be exploited by an attacker who can convince the targeted user to open a malicious project file. While ICS-CERT’s advisory says the vulnerabilities can be leveraged to crash Panasonic’s FPWIN Pro software, ZDI says they can also be exploited for arbitrary code execution. ICS-CERT pointed out that the flaws don’t impact the systems controlled by the software.
“Crafting a working exploit for these vulnerabilities would be difficult. Social engineering is required to convince the user to accept the malformed project file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit,” ICS-CERT explained.
The flaws affect FPWIN Pro 5.x, FPWIN Pro 6.x, and FPWIN Pro 7.122 and prior versions. Panasonic was informed about the vulnerabilities in early February and the company addressed them on April 26 with the release of FPWIN Pro 7.130.
The vendor noted that version 5.x has reached end-of-support, and version 6.x will no longer be supported starting with September 2016. Users of these older versions have been advised to upgrade their products.
Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks
Related Reading: High Severity Flaw Found in Schneider PLC Products