Panasonic has an upgrade available to mitigate heap-based buffer overflow and type confusion vulnerabilities in its Control FPWIN Pro, according to a report from NCCIC.
Successful exploitation of these vulnerabilities could crash the device and allow remote code execution. kimiya of 9sg Security Team working with Trend Micro’s Zero Day Initiative discovered the vulnerabilities.
A PLC programming software, FPWIN Pro Version 18.104.22.168 and prior suffer from the issues.
In one vulnerability, attacker-created project files loaded by an authenticated user can cause heap-based buffer overflows, which may lead to remote code execution.
CVE-2019-6530 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
In addition, attacker-created project files loaded by an authenticated user can trigger incompatible type errors because the resource does not have expected properties. This may lead to remote code execution.
CVE-2019-6532 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
The product sees use mainly in the commercial facilities, critical manufacturing, and food and agriculture sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Japan-based Panasonic recommends users upgrade to FPWIN Pro Version 22.214.171.124 or newer.
For more information about these issues or other vulnerabilities in Panasonic products, contact the Panasonic Product Security Incident Response Team.