Japanese electrical equipment company Fuji Electric has released an update for one of its human-machine interface (HMI) products to fix several vulnerabilities.
The affected Fuji Electric Monitouch V-SFT product is an application that allows organizations to configure their HMI screens. The software is used in critical manufacturing and energy sectors worldwide.
ICS-CERT has informed organizations that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management flaws that can be exploited to execute arbitrary code and escalate privileges.
The issues were reported to the company by cybersecurity experts Ariele Caltabiano (aka kimiya) and Fritz Sands.
Buffer overflow vulnerabilities allow a remote hacker to cause a crash or execute arbitrary code in the context of the targeted process, can be exploited by getting the targeted user to visit a malicious web page or open a malicious file.
The flaws tracked as CVE-2017-9659 and CVE-2017-9660 exist due to the way the application parses V8 project files and is caused by the lack of proper validation for the length of user-supplied data prior to copying it to a fixed-length buffer.
ICS-CERT has evaluated the buffer overflows vulnerabilities as high severity with a CVSS score of 7.3.
The third vulnerability affecting Fuji Electric's Monitouch V-SFT is less serious. It allows a local hacker who can execute low-privileged code to escalate their permissions.
The specific vulnerability exists in the Monitouch V-SFT configuration. The software is installed with weak controls to access executable files. A hacker can leverage this flaw to execute code in the context of any user of the software.
ICS-CERT has reported that all of these vulnerabilities have been patched by the company with the release of Monitouch V-SFT 18.104.22.168. It is recommended that organizations take measures to limit access to control systems.