Fix is in for Mitsubishi’s E-Designer

Tuesday, August 1, 2017 @ 03:08 PM gHale


Mitsubishi Electric Europe B.V. recommended two courses of action to mitigate multiple vulnerabilities in its E-Designer product, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities are a heap-based buffer overflow, stack-based buffer overflow and an out-of-bounds write.

RELATED STORIES
Vulnerability in CAN Bus Standard
Continental to Fix Automotive Holes
Holes in Mirion Telemetry Devices
PDQ Manufacturing Product Holes

E-Designer, Version 7.52 Build 344, which is a product to program HMIs for the E1000, suffers from the issue, discovered by Andrea “rgod” Micalizzi, working with Trend Micro’s Zero Day Initiative.

Successful exploitation of these vulnerabilities can result in corruption of sensitive information, system crash, denial of service, and arbitrary code execution.

An attacker with a low skill level could leverage the vulnerabilities. The product sees use in the critical manufacturing sector. It sees action on a global basis.

In one issue, six code sections have been identified in which exploiting this vulnerability can overwrite the stack. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash.

CVE-2017-9638 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, five code sections have been identified in which exploiting this vulnerability can overwrite the heap. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash.

CVE-2017-9636 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, two code sections have been identified where exploiting this vulnerability can allow a remote attacker to write data to arbitrary memory locations. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash.

CVE-2017-9634 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Mitsubishi recommends the following actions to mitigate these vulnerabilities:
• Use E-Designer in a safe, firewalled network.
• Replace E-Designer HMIs with interfaces built with Mitsubishi’s new product, GT Works. E-Designer has been discontinued.



Leave a Reply

You must be logged in to post a comment.