OTPulse
FeedAboutContact

Panasonic Control FPWIN Pro

Plan Patch7.3ICS-CERT ICSA-19-157-02Jun 6, 2019
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

FPWIN Pro versions 7.3.0.0 and earlier contain a buffer overflow (CWE-122) and type confusion vulnerability (CWE-843) that could allow a local user to crash the software or execute arbitrary code. The vulnerabilities are triggered when opening specially crafted project files or receiving malicious input. Panasonic has released a fix in version 7.3.1.0.

What this means
What could happen
An attacker with local access to a system running FPWIN Pro could crash the engineering software or execute arbitrary code, potentially allowing modification of PLC logic, control setpoints, or process parameters.
Who's at risk
Organizations using Panasonic FPWIN Pro as their PLC programming and engineering software should prioritize this. This affects any team member (engineers, technicians, contractors) who uses FPWIN Pro to develop or modify control logic for industrial systems including programmable logic controllers.
How it could be exploited
An attacker with local access to an engineering workstation running FPWIN Pro could trigger a buffer overflow or type confusion vulnerability by opening a malicious project file or providing crafted input. This would allow code execution within the engineering environment with the privileges of the logged-in user.
Prerequisites
  • Local access to a Windows system running FPWIN Pro version 7.3.0.0 or earlier
  • User interaction required: the victim must open a malicious file or project in FPWIN Pro
  • The attacking user does not need administrative privileges on the workstation
Local access only (not remotely exploitable)Requires user interaction (opening a malicious file)Low complexity attackAffects engineering workstations, not directly field devicesVendor fix available
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (1)
ProductAffected VersionsFix Status
FPWIN Pro:≤ 7.3.0.07.3.1.0
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict local access to engineering workstations running FPWIN Pro; limit who can log into these systems
WORKAROUNDEducate users not to open project files or attachments from untrusted sources in FPWIN Pro
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FPWIN Pro to version 7.3.1.0 or later
Long-term hardening
0/1
HARDENINGImplement application whitelisting or control on engineering workstations to restrict execution of unknown programs
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/db8b4fd2-6e9b-482e-9f20-78f597646e03
Panasonic Control FPWIN Pro | CVSS 7.3 - OTPulse