Fatek Automation Vulnerabilities

Thursday, October 13, 2016 @ 04:10 PM gHale


There is a heap memory corruption and two stack buffer overflow vulnerabilities in Fatek’s Automation PM and FV Designer applications, according to a report with ICS-CERT.

Fatek has not yet produced an update to mitigate these vulnerabilities, discovered by Ariele Caltabiano (kimiya) working with Trend Micro’s Zero Day Initiative (ZDI). ZDI coordinated with ICS-CERT. ZDI published the PM Designer remotely exploitable vulnerability.

RELATED STORIES
Kabona AB WDC Vulnerabilities
Sierra Wireless Mitigations Against Mirai
Siemens Mitigates ALM Vulnerabilities
Siemens Clears Information Disclosure Holes

The following Fatek products suffer from the issues:
• Automation PM Designer V3 Version 2.1.2.2
• Automation FV Designer Version 1.2.8.0

Successful exploitation of the reported vulnerabilities may allow an attacker to perform malicious actions including denial of service and arbitrary code execution.

Fatek is a Taiwan-based company that maintains distribution offices in several countries around the world, including the U.S., UK, Netherlands, Italy, India, Germany, France, Czech Republic, China, and Australia.

The affected products, Automation PM Designer and Automation FV Designer, are HMI programming software. These products see action across several sectors including commercial facilities and critical manufacturing. Fatek said these products see use primarily in Europe and Asia.

In one of the vulnerabilities, sending additional valid packets could allow the attacker to cause a crash or to execute arbitrary code.

CVE-2016-5796 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

A stack-based buffer overflow could occur by sending additional valid packets, which could trigger an overflow and cause a crash.

CVE-2016-5798 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, a malicious attacker can trigger a remote buffer overflow on the Fatek Communication Server.

CVE-2016-5798 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Fatek has not responded to requests to work with ICS-CERT to mitigate these vulnerabilities.
ZDI published the PM Designer vulnerability.



Leave a Reply

You must be logged in to post a comment.