Source: www.databreachtoday.com – Author:
Governance & Risk Management , Vulnerability Assessment & Penetration Testing (VA/PT)
Flaws in Fuji’s Tellus and V-Server Software Pose Risks to Critical Infrastructure Jayant Chakravarti (@JayJay_Tech) • December 3, 2024
Security researchers have uncovered 16 zero-day vulnerabilities in Japanese equipment manufacturer Fuji Electric’s remote monitoring software that enable attackers to execute malicious code in devices commonly used by utilities and other critical infrastructure providers.
See Also: August Spotlight | Automated Threat Intelligence Correlation
The Zero Day Initiative said the zero-day vulnerabilities affect Fuji Electric’s Tellus and Tellus Lite remote monitoring software and V-Server and V-Server Lite simulator modules and remote monitoring software in a graphic editor called V-SFT.
Established in 1923, Fuji Electric manufactures industrial machinery and systems, including inverters, generators, pumps, electric equipment and power semiconductors. Tellus and V-Server enable industrial operators to remotely control and maintain their operations, manage on-site data and troubleshoot problems.
But researchers warned that the Monitouch V-SFT vulnerabilities could enable attackers to execute arbitrary code on affected installations. Successful exploitation requires user interaction, which means malicious actors can lure users into visiting a malicious page or open a malicious file to infiltrate the system and execute malicious code.
The vulnerability disclosure follows a similar alert by the U.S. Cybersecurity and Infrastructure Security Agency in June about Fuji Electric’s Tellus Lite V-Simulator, which had out-of-bound write and stack-based buffer overflow vulnerabilities that could enable an attacker to perform malicious code execution.
The electric equipment manufacturer in 2021 patched at least half a dozen vulnerabilities that affected Tellus Lite V-Simulator and V-Server Lite remote monitoring software. These high-severity vulnerabilities enabled attackers to execute arbitrary code, conduct denial-of-service attacks or obtain sensitive information.
Zero Day Initiative said the recently discovered vulnerabilities arose due to improper validation of user-supplied data, resulting in an out-of-bounds write vulnerability during the parsing of such files. “An attacker can leverage this vulnerability to execute code in the context of the current process,” researchers said.
The research collective assigned separate CVE codes to zero-day vulnerabilities associated with improper validation of V8, V8C, V9C, V10 and X1 files. ZDI said the vulnerabilities were reported in July but Fuji Electric has requested an extension until April 2025 to issue patches.
According to Japan’s national vulnerability database maintained by the Japan Computer Emergency Response Team, CVE-2024-38309 impacts V-SFT v6.2.2.0 and earlier, TELLUS v4.0.19.0 and earlier and TELLUS Lite v4.0.19.0 and earlier versions and CVE-2024-38658 affects V-Server v4.0.19.0 and earlier and V-Server Lite v4.0.19.0 and earlier versions. The third vulnerability, assigned CVE-2024-38389, affects TELLUS v4.0.19.0 and earlier and TELLUS Lite v4.0.19.0 and earlier versions.
Original Post url: https://www.databreachtoday.com/16-zero-days-uncovered-in-fuji-electric-monitoring-software-a-26962
Category & Tags: –
Views: 2