[Japanese]

JVNDB-2024-009667

Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software

Overview

Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.

* Out-of-bounds write (CWE-787) - CVE-2024-47134
* Stack-based buffer overflow (CWE-121) - CVE-2024-47135
* Out-of-bounds read (CWE-125) - CVE-2024-47136

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-47134

CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-47135

CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-47136
Affected Products


JTEKT ELECTRONICS CORPORATION
  • Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.14.0 and earlier

Impact

Having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier may cause a denial-of-service (DoS) condition, arbitrary code execution, and/or information disclosure because the issues exist in parsing of KPP project files.
Solution

[Update the software]
Update Kostac PLC Programming Software to the latest version according to the information provided by the developer.
The developer released the following version that contains fixes for these vulnerabilities.

* Kostac PLC Programming Software Version 1.6.15.0 and above

The latest update can be obtained from the developer's website listed below.
* PLC - Download|JTEKT ELECTRONICS CORPORATION

[Apply workaround]
The developer states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.
Vendor Information

JTEKT ELECTRONICS CORPORATION
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
  2. Out-of-bounds Read(CWE-125) [Other]
  3. Out-of-bounds Write(CWE-787) [Other]
CVE (What is CVE?)

  1. CVE-2024-47134
  2. CVE-2024-47135
  3. CVE-2024-47136
References

  1. JVN : JVNVU#92808077
Revision History

  • [2024/10/03]
      Web page was published

Date Public2024/10/02
Date First Published2024/10/03
Date Last Updated2024/10/03