Your one-stop web resource providing safety and security information to manufacturers

Fuji Electric now has a fix to take care of buffer over-read, out-of-bounds read and a stack-based buffer overflow vulnerabilities in its FRENIC Loader, FRENIC-Mini (C1), FRENIC-Mini (C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA, FRENIC-Ace, according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by Michael Flanders and Ghirmay Desta working with Trend Micro’s Zero Day Initiative, could allow for arbitrary remote code execution affecting the availability of the device. Public exploits are available.

RELATED STORIES
Siemens Fixes CP1604, CP1616 Holes
Siemens has Upgrade for Intel AMT
Siemens Fixes Hole in SIMATIC S7-300 CPU
Siemens has Licensing Software Fix for SICAM 230

FRENIC LOADER v3.3 v7.3.4.1a of FRENIC-Mini (C1), FRENIC-Mini (C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA, FRENIC-Ace suffer from the remotely exploitable vulnerabilities.

A buffer over-read vulnerability may allow remote code execution on the device.

Schneider Bold

CVE-2018-14790 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In the out-of-bounds read vulnerability, the program does not properly parse FNC files that may allow for information disclosure.

CVE-2018-14798 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In the stack-based buffer overflow, the program does not properly check user-supplied comments which may allow for arbitrary remote code execution.

CVE-2018-14802 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The products see use mainly in the commercial facilities sector. They also see action on a global basis.

An attacker with low skill level could leverage the vulnerabilities.

Japan-based Fuji Electric released a new version of firmware for the affected FRENIC Loader products.

Pin It on Pinterest

Share This