02 October 2018
Multiple vulnerabilities in Fuji Electric industrial products
Multiple vulnerabilities have been identified in industrial products produced by Fuji Electric. Successful exploitation of these vulnerabilities could allow remote execution of arbitrary code, which could affect device availability.
The vulnerabilities affect the following solutions:
- Software: FRENIC Loader v3.3;
- inverters: FRENIC-Ace, FRENIC-Mini (C1) v7.3.4.1a, FRENIC-Mini (C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA;
- servo system: Alpha5 Smart Loader versions 3.7 and earlier.
Alpha5 Smart Loader is affected by two buffer overflow vulnerabilities. CVE-2018-14788 is a buffer overflow information disclosure vulnerability, which occurs when parsing certain file types. The second vulnerability, CVE-2018-14794, is due to the device not performing a check on the length/size of a project file before copying the entire contents of the file to a buffer.
The security flaws identified in other solutions include buffer over-read (CVE-2018-14790), buffer overflow (CVE-2018-14802) and out-of-bounds read (CVE-2018-14798) vulnerabilities. The former two vulnerabilities could allow remote execution of arbitrary code and the latter could lead to information disclosure.
CVE-2018-14790, CVE-2018-14802 and CVE-2018-14794 are critical vulnerabilities with CVSS v.3 base scores of 9.8. Publicly available exploits exacerbate the severity of the vulnerabilities. According to Fuji Electric, they are actively working on fixes for these flaws.
Source: ICS-CERT
See also
-
Dynamic analysis of firmware components in IoT devices
06 July 2022
-
ISaPWN – research on the security of ISaGRAF Runtime
23 May 2022
-
Vulnerability in ICS: assessing the severity
20 April 2022