Fuji Electric fixes vulnerabilities in HMI software

11.08.2017

Fuji-Electric-Monitouch-V-SFT-vulnerabilities

 

Japanese electrical equipment company Fuji Electric has released an update for one of its human-machine interface (HMI) products to fix several vulnerabilities.

The affected Fuji Electric Monitouch V-SFT product is an application that allows organizations to configure their HMI screens. The software is used in critical manufacturing and energy sectors worldwide.

ICS-CERT has informed organizations that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management flaws that can be exploited to execute arbitrary code and escalate privileges.

The issues were reported to the company by cybersecurity experts Ariele Caltabiano (aka kimiya) and Fritz Sands.

Buffer overflow vulnerabilities allow a remote hacker to cause a crash or execute arbitrary code in the context of the targeted process, can be exploited by getting the targeted user to visit a malicious web page or open a malicious file.

The flaws tracked as CVE-2017-9659 and CVE-2017-9660 exist due to the way the application parses V8 project files and is caused by the lack of proper validation for the length of user-supplied data prior to copying it to a fixed-length buffer.

ICS-CERT has evaluated the buffer overflows vulnerabilities as high severity with a CVSS score of 7.3.

The third vulnerability affecting Fuji Electric's Monitouch V-SFT is less serious. It allows a local hacker who can execute low-privileged code to escalate their permissions.

The specific vulnerability exists in the Monitouch V-SFT configuration. The software is installed with weak controls to access executable files. A hacker can leverage this flaw to execute code in the context of any user of the software.

ICS-CERT has reported that all of these vulnerabilities have been patched by the company with the release of Monitouch V-SFT 5.4.43.0. It is recommended that organizations take measures to limit access to control systems.

Would you like to comment on this article?

Share

Latest news

15.12.2017

Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.

15.12.2017

Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.

15.12.2017

Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!