Fuji Electric fixes vulnerabilities in HMI software

11.08.2017

Fuji-Electric-Monitouch-V-SFT-vulnerabilities

 

Japanese electrical equipment company Fuji Electric has released an update for one of its human-machine interface (HMI) products to fix several vulnerabilities.

The affected Fuji Electric Monitouch V-SFT product is an application that allows organizations to configure their HMI screens. The software is used in critical manufacturing and energy sectors worldwide.

ICS-CERT has informed organizations that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management flaws that can be exploited to execute arbitrary code and escalate privileges.

The issues were reported to the company by cybersecurity experts Ariele Caltabiano (aka kimiya) and Fritz Sands.

Buffer overflow vulnerabilities allow a remote hacker to cause a crash or execute arbitrary code in the context of the targeted process, can be exploited by getting the targeted user to visit a malicious web page or open a malicious file.

The flaws tracked as CVE-2017-9659 and CVE-2017-9660 exist due to the way the application parses V8 project files and is caused by the lack of proper validation for the length of user-supplied data prior to copying it to a fixed-length buffer.

ICS-CERT has evaluated the buffer overflows vulnerabilities as high severity with a CVSS score of 7.3.

The third vulnerability affecting Fuji Electric's Monitouch V-SFT is less serious. It allows a local hacker who can execute low-privileged code to escalate their permissions.

The specific vulnerability exists in the Monitouch V-SFT configuration. The software is installed with weak controls to access executable files. A hacker can leverage this flaw to execute code in the context of any user of the software.

ICS-CERT has reported that all of these vulnerabilities have been patched by the company with the release of Monitouch V-SFT 5.4.43.0. It is recommended that organizations take measures to limit access to control systems.

Would you like to comment on this article?

Share

Latest news

20.10.2017

University expelled student for using hardware keylogger

Kansas University has expelled a student for installing a hardware keylogger.

20.10.2017

Fancy Bear hacker group exploits recently patched Flash vulnerability

Russia-linked cyber espionage group has been using a recently patched Adobe Flash Player vulnerability in attacks aimed at government organizations and aerospace companies.

20.10.2017

Sockbot enslave Android devices into botnet

A newly discovered Android malware that can add the compromised devices to a botnet that could launch DDoS attacks.

Sign up for our online newsletter!