Fuji Electric V-Server VPR
Plan Patch8.6ICS-CERT ICSA-18-032-01Feb 1, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Fuji Electric V-Server VPR versions 4.0.1.0 and prior contain a stack-based buffer overflow vulnerability (CWE-121) that can be exploited remotely without authentication. The vulnerability allows an attacker to execute arbitrary code on the server.
What this means
What could happen
An attacker could run arbitrary code on your V-Server VPR, potentially taking control of your supervisory control system. This could allow them to alter process setpoints, disable alarms, or halt operations in critical energy infrastructure.
Who's at risk
This affects energy sector operators running Fuji Electric V-Server VPR as a supervisory control and data acquisition (SCADA) or industrial control server. Any facility using V-Server VPR for monitoring or controlling power generation, transmission, or distribution equipment should prioritize this vulnerability.
How it could be exploited
An attacker on the network with access to the V-Server VPR service port can send a specially crafted network packet that overflows a buffer in memory, allowing them to inject and execute arbitrary code. No authentication or user interaction is required.
Prerequisites
- Network access to the V-Server VPR service port
- No authentication required
- Low complexity attack—simple malformed input needed
Remotely exploitableNo authentication requiredLow complexityNo patch availableAffects critical energy infrastructure
Exploitability
Moderate exploit probability (EPSS 4.8%)
Affected products (1)
ProductAffected VersionsFix Status
V-Server VPR: 4.0.1.0 and prior≤ 4.0.1.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/4HARDENINGIsolate V-Server VPR systems from the Internet and corporate network using a firewall or network segmentation
HARDENINGRestrict network access to the V-Server VPR service port to only authorized engineering workstations and authorized remote access points
WORKAROUNDIf remote access to V-Server VPR is required, implement a VPN with current security updates and ensure the VPN termination device is hardened
HARDENINGMonitor V-Server VPR for unexpected network connections or process behavior
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a5d7abec-c91f-42e9-81d8-e708530a0616