Japanese electrical equipment company Fuji Electric has released an update for one of its human-machine interface (HMI) products to address several vulnerabilities.
The affected product is the Fuji Electric Monitouch V-SFT, an application that allows organizations to configure their HMI screens. The software is used worldwide in the critical manufacturing and energy sectors.
ICS-CERT informed organizations on Thursday that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management vulnerabilities that can be exploited to execute arbitrary code and escalate privileges.
The security holes were reported to the vendor by researchers Ariele Caltabiano (aka kimiya) and Fritz Sands through Trend Micro’s Zero Day Initiative (ZDI) in September 2016.
According to ZDI, the buffer overflow flaws, which allow a remote attacker to cause a crash or execute arbitrary code in the context of the targeted process, can be exploited by getting the targeted user to visit a malicious web page or open a malicious file.
The vulnerabilities, tracked as CVE-2017-9659 and CVE-2017-9660, exist due to the way the application parses V8 project files and is caused by the lack of proper validation for the length of user-supplied data prior to copying it to a fixed-length buffer.
While ZDI has classified the buffer overflows as medium severity bugs with a CVSS score of 6.8, ICS-CERT has rated the issues as high severity with a CVSS score of 7.3.
The third type of vulnerability affecting Fuji Electric’s Monitouch V-SFT is less severe. It allows a local attacker who has the ability to execute low-privileged code to escalate their permissions.
“The specific flaw exists within the configuration of Monitouch V-SFT. The software is installed with weak access controls on the executable files. An attacker can leverage this vulnerability to execute code in the context of any user of the software,” ZDI said in its advisory.
ICS-CERT says all these vulnerabilities have been patched by the vendor with the release of Monitouch V-SFT 184.108.40.206. In addition to applying the update, the agency has advised organizations to take measures to limit access to control systems.