02 October 2018

Multiple vulnerabilities in Fuji Electric industrial products

Multiple vulnerabilities have been identified in industrial products produced by Fuji Electric. Successful exploitation of these vulnerabilities could allow remote execution of arbitrary code, which could affect device availability.

The vulnerabilities affect the following solutions:

  • Software: FRENIC Loader v3.3;
  • inverters: FRENIC-Ace, FRENIC-Mini (C1) v7.3.4.1a, FRENIC-Mini (C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA;
  • servo system: Alpha5 Smart Loader versions 3.7 and earlier.

Alpha5 Smart Loader is affected by two buffer overflow vulnerabilities. CVE-2018-14788 is a buffer overflow information disclosure vulnerability, which occurs when parsing certain file types. The second vulnerability, CVE-2018-14794, is due to the device not performing a check on the length/size of a project file before copying the entire contents of the file to a buffer.

The security flaws identified in other solutions include buffer over-read (CVE-2018-14790), buffer overflow (CVE-2018-14802) and out-of-bounds read (CVE-2018-14798) vulnerabilities. The former two vulnerabilities could allow remote execution of arbitrary code and the latter could lead to information disclosure.

CVE-2018-14790, CVE-2018-14802 and CVE-2018-14794 are critical vulnerabilities with CVSS v.3 base scores of 9.8. Publicly available exploits exacerbate the severity of the vulnerabilities. According to Fuji Electric, they are actively working on fixes for these flaws.

Source: ICS-CERT