Panasonic Fixes Control FPWIN Pro Holes

Thursday, June 6, 2019 @ 01:06 PM gHale

Panasonic has an upgrade available to mitigate heap-based buffer overflow and type confusion vulnerabilities in its Control FPWIN Pro, according to a report from NCCIC.

Successful exploitation of these vulnerabilities could crash the device and allow remote code execution. kimiya of 9sg Security Team working with Trend Micro’s Zero Day Initiative discovered the vulnerabilities.

RELATED STORIES
Geutebrück Fixes G-Cam, G-Code Holes
Phoenix Contact Fixes Switch Issue
Phoenix Contact Fixes PLCNext Holes
Rapid7 Clears Insight Vulnerability

A PLC programming software, FPWIN Pro Version 7.3.0.0 and prior suffer from the issues.

In one vulnerability, attacker-created project files loaded by an authenticated user can cause heap-based buffer overflows, which may lead to remote code execution.

CVE-2019-6530 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

In addition, attacker-created project files loaded by an authenticated user can trigger incompatible type errors because the resource does not have expected properties. This may lead to remote code execution.

CVE-2019-6532 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

The product sees use mainly in the commercial facilities, critical manufacturing, and food and agriculture sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Japan-based Panasonic recommends users upgrade to FPWIN Pro Version 7.3.1.0 or newer.

For more information about these issues or other vulnerabilities in Panasonic products, contact the Panasonic Product Security Incident Response Team.



Leave a Reply

You must be logged in to post a comment.