This tool connects PCs within organizations to industrial control systems
Experts in ethical hacking discovered various vulnerabilities in Fuji Electric V-Server, a tool that connects PCs within organizations to industrial control systems (ICS) in the corporate network. The Industrial Control systems Computer Emergency Response Team (ICS-CERT) published two safety warnings to alert the existence of failures that could have a severe impact on a wide range of companies in the manufacturing sector.
Vulnerabilities classified as “high severity” could be exploited remotely to execute arbitrary code. The type of problems that affect ICS systems are really dangerous and pose a serious threat for companies, consider specialists in ethical hacking. The vulnerabilities that affect the products that connect the corporate network with industrial control systems can pose a serious threat, because that is how many malicious agents try to enter the organizations’ sensitive systems.
Fuji Electric V-Server devices have access to programmable logic controllers (PLC) on the corporate network via Ethernet. PLC control is implemented through Monitouch’s human-machine interfaces (HMI).
“Successful exploitation of these vulnerabilities could allow remote code execution on the compromised device, causing denial of service or sensitive information leaking” mentions the security notice issued by ICS CERT.
The list of vulnerabilities includes buffer overflow, out-of-bound writing, integer overflow, out-of-bound reading, and stack-based buffer overflow vulnerabilities that could be exploited by remote attackers for execute arbitrary code and trigger denial of service (DoS) or information leaking.
Specialists in ethical hacking from the International Institute of Cyber Security affirm that the worst part of the incident is that various public exploits for vulnerabilities are already available online.
The ICS-CERT also warns of another high-gravity buffer overflow in V-Server Lite that can lead to a DoS condition or information leaking. The flaw could be triggered by deceiving the victims into opening files of specially designed projects.
For its part, the manufacturer gave treatment to problems with the release of the 22.214.171.124 version.
The vulnerabilities were reported to the provider through the Zero Day Initiative (ZDI) program by researchers Steven Seeley and Ariele Caltabiano.
This vulnerability reached a score of 6.8/10 in the Common Vulnerability Scoring System (CVSS), which makes it the most serious security flaw encountered by these researchers.