ICS-CERT and Trend Micro’s Zero Day Initiative (ZDI) this week disclosed the existence of several unpatched vulnerabilities affecting servo systems and drives from Japanese electrical equipment company Fuji Electric.
According to ICS-CERT and ZDI, researcher Michael Flanders discovered two vulnerabilities in Fuji’s Alpha 5 Smart servo system, specifically its Loader software, version 3.7 and prior.
The product, mainly used in the commercial facilities and critical manufacturing sectors in Europe and Asia, makes adjustments to ensure that the motors powering various machines operate properly.
One of the flaws identified by Flanders in the Loader software of the Alpha 5 Smart system is a critical heap-based buffer overflow (CVE-2018-14794) that can allow a remote attacker to execute arbitrary code by tricking the targeted user into opening a specially crafted C5V file.
“The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of an administrator,” ZDI said in its advisory.
The second vulnerability affecting the servo system is a medium severity buffer overflow that can lead to disclosure of sensitive information when specially crafted A5P files are processed. When combined with other flaws, this bug can be exploited to execute arbitrary code with administrator privileges.
Flanders and researcher Ghirmay Desta also informed the vendor – through ZDI and ICS-CERT – that some FRENIC AC drives are affected by three vulnerabilities. These products are used worldwide to control motors present in factory equipment and other machines.
According to ICS-CERT, the FRENIC Loader, FRENIC-Mini (C1 and C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA, FRENIC-Ace, and FRENIC-HVAC products are affected by critical stack-based buffer overflow and buffer over-read issues (CVE-2018-14802 and CVE-2018-14790) that can allow arbitrary code execution. The researchers also discovered a medium severity out-of-bounds read bug that can lead to information disclosure.
An attacker can exploit these vulnerabilities by tricking the targeted user into opening specially crafted FNC files.
ZDI gives organizations 120 days to release patches before making limited details of a vulnerability public. The company has published a total of five advisories this week for these Fuji Electric flaws and they all have a “zero-day” status due to the lack of patches from the vendor.
Fuji Electric claims it’s working on patching the vulnerabilities. Until fixes become available, users have been advised to avoid opening untrusted files in the affected applications.