[Japanese]

JVNDB-2023-003592

Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software

Overview

Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.

* Double free (CWE-415) - CVE-2023-41374

* Use-after-free (CWE-416) - CVE-2023-41375

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-41374

CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-41375
Affected Products


JTEKT ELECTRONICS CORPORATION
  • Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.11.0 and earlier

Impact

Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files.
Solution

[Update the software]

Update Kostac PLC Programming Software to the latest version according to the information provided by the developer.
The developer released the following versions that contain fixes for these vulnerabilities.
* Kostac PLC Programming Software Version 1.6.12.0 and above

The latest update can be obtained from the developer's website listed below.
* PLC - Download | JTEKT ELECTRONICS CORPORATION

[Apply workaround]

The developer states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.
Vendor Information

JTEKT ELECTRONICS CORPORATION
CWE (What is CWE?)

  1. Double Free(CWE-415) [Other]
  2. Use After Free(CWE-416) [Other]
CVE (What is CVE?)

  1. CVE-2023-41374
  2. CVE-2023-41375
References

  1. JVN : JVNVU#95282683
  2. National Vulnerability Database (NVD) : CVE-2023-41374
  3. National Vulnerability Database (NVD) : CVE-2023-41375
Revision History

  • [2023/09/13]
      Web page was published
  • [2024/05/28]
      References : Contents were added

Date Public2023/09/12
Date First Published2023/09/13
Date Last Updated2023/09/13