Fuji Electric V-Server Lite all versions prior to 184.108.40.206 contains a heap based buffer overflow. The buffer allocated to read data, when parsing VPR files, is too small.
ICS Advisory (ICSA-20-098-04)
Fuji Electric V-Server Lite
All information products included in https://us-cert.gov/ics are provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.
1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Fuji Electric
Equipment: V-Server Lite
Vulnerability: Heap-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to gain elevated privileges for remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of V-Server Lite, a data collection and management service, are affected:
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
A vulnerability has been found in Google Chrome (Web Browser) and classified as critical. Affected by this vulnerability is an unknown functionality of the component WebApp Installer. Upgrading to version 95.0.4638.54 eliminates this vulnerability.
A vulnerability, which was classified as critical, was found in Cisco IOS XE SD-WAN (Router Operating System) (the affected version unknown). This affects an unknown functionality of the component CLI. Upgrading eliminates this vulnerability.
A vulnerability has been found in Cisco Integrated Management Controller (the affected version is unknown) and classified as problematic. This vulnerability affects some unknown functionality of the component Web-based Management Interface. Upgrading eliminates this vulnerability.