Fuji Electric V-Server Lite all versions prior to 126.96.36.199 contains a heap based buffer overflow. The buffer allocated to read data, when parsing VPR files, is too small.
ICS Advisory (ICSA-20-098-04)
Fuji Electric V-Server Lite
All information products included in https://us-cert.gov/ics are provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.
1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Fuji Electric
Equipment: V-Server Lite
Vulnerability: Heap-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to gain elevated privileges for remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of V-Server Lite, a data collection and management service, are affected:
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.