[Japanese]

JVNDB-2024-013702

Multiple vulnerabilities in FUJI ELECTRIC products

Overview

Multiple vulnerabilities listed below exist in the remote monitoring software 'TELLUS' and 'TELLUS Lite', and the simulator module and the remote monitoring software 'V-Server' and 'V-Server Lite' contained in the graphic editor 'V-SFT' provided by FUJI ELECTRIC CO., LTD.

* Multiple Stack-based buffer overflow vulnerabilities in V-SFT, TELLUS, TELLLUS Lite (CWE-121) - CVE-2024-38309
* Out-of-bounds read vulnerability in TELLUS and TELLUS Lite (CWE-125) - CVE-2024-38389
* Out-of-bounds read vulnerability in V-Server and V-Server Lite (CWE-125) - CVE-2024-38658

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-38309

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-38389

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-38658
Affected Products


Fuji Electric Co., Ltd.
  • TELLUS v4.0.19.0 and earlier (CVE-2024-38309, CVE-2024-38389)
  • TELLUS Lite v4.0.19.0 and earlier (CVE-2024-38309, CVE-2024-38389)
  • V-Server v4.0.19.0 and earlier (CVE-2024-38658)
  • V-Server Lite v4.0.19.0 and earlier (CVE-2024-38658)
  • V-SFT v6.2.2.0 and earlier (CVE-2024-38309)

Impact

If a user opens a specially crafted file, information may be disclosed and/or arbitrary code may be executed.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.

Vendor Information

Fuji Electric Co., Ltd.
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
  2. Out-of-bounds Read(CWE-125) [Other]
CVE (What is CVE?)

  1. CVE-2024-38309
  2. CVE-2024-38389
  3. CVE-2024-38658
References

  1. JVN : JVNVU#97531313
Revision History

  • [2024/11/29]
      Web page was published

Date Public2024/11/28
Date First Published2024/11/29
Date Last Updated2024/11/29