Today CISA’s NCCIC-ICS published a control system security
update for products from Fuji Electric and updated three advisories for
products from Mitsubishi, Treck and Eaton.

Fuji Advisory

This advisory
describes five vulnerabilities in the Fuji Tellus Lite V-Simulator and V-Server
Lite. The vulnerabilities were reported by Kimiya, Khangkito – Tran Van Khang
of VinCSS (Member of Vingroup), and an anonymous researcher via the Zero Day Initiative.
Fuji has a newer version that mitigates the vulnerabilities. There is no
indication that the researchers have been provided with an opportunity to
verify the efficacy of the fix.

The five reported vulnerabilities are:

Stack-based buffer overflow – CVE-2021-22637,

Out-of-bounds read – CVE-2021-22655,

Out-of-bounds write – CVE-2021-22653,

Access of uninitialized pointer – CVE-2021-22639, and

Heap-based buffer overflow – CVE-2021-22641

NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to allow an
attacker to execute code under the privileges of the application.

Mitsubishi Update

This update
provides additional information on an advisory that was originally
published
on September 1st, 2020. The new information includes
updated affected version and mitigation measures for:

• R12CCPU-V,

• RD55UP06-V,

• RD55UP12-V,

• RJ71GN11-T2,

• Q03UDECPU,

• QnUDEHCPU,

• QnUDVCPU,

• QnUDPVCPU

• LnCPU(-P),

• L26CPU-(P)BT,

• RnSFCPU,

• RnPCPU,

• RnPSFCPU,

• FX5-ENET,

• FX5-ENET/IP,

• FX3U-ENET-ADP,

• FX3GE-**M*/**,

• FX3U-ENET,

• FX3U-ENET-L,

• FX3U-ENET-P502,

• FX5-CCLGN-MS

• FR-A800-E Series,

• FR-F800-E Series,

• FR-A8NCG,

• FR-E800-EPA Series, and

• FR-E800-EPB Series

Treck Update

This update
provides additional information on an advisory that was originally
published
on December 18th, 2020. The new information includes
providing the researcher names from Intel that reported the advisory.

Eaton Update

This update
provides additional information on an advisory that was originally
reported
on January 11th, 2021. The new information includes the
announcement of the availability of a patch that mitigates the vulnerability.

Go to Source of this post
Author Of this post: PJCoyle

By admin