Fuji Electric Tellus Lite V-Simulator and V-Server Lite

Plan Patch7.8ICS-CERT ICSA-21-026-01Jan 26, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Fuji Electric Tellus Lite V-Simulator and V-Server Lite contain multiple memory safety vulnerabilities (CWE-121, CWE-125, CWE-787, CWE-824, CWE-122) that could allow code execution under the application's privileges. These vulnerabilities are not remotely exploitable and require local access to an affected system. Successful exploitation could allow an attacker to execute code with the privileges of the application. No known public exploits currently target these vulnerabilities.

What this means

What could happen

An attacker with local access to a Tellus Lite V-Simulator or V-Server Lite system could execute arbitrary code under the application's privileges, potentially allowing them to modify process logic, alter setpoints, or disrupt monitoring and control functions in energy operations.

Who's at risk

Energy sector operators using Fuji Electric Tellus Lite V-Simulator or V-Server Lite for SCADA simulation, training, or server management should prioritize patching. This affects both production-grade and simulation/training environments where these tools are used to manage or model energy distribution and generation systems.

How it could be exploited

An attacker must have local access to a system running Tellus Lite V-Simulator or V-Server Lite (e.g., via USB, shared workstation access, or physical proximity). The attack exploits memory safety issues (buffer overflows, out-of-bounds reads/writes) that could allow arbitrary code execution under the application's privilege level.

Prerequisites

Local access to the affected system (not remotely exploitable)
Ability to interact with the application via GUI or files processed by the application
Vulnerable version of Tellus Lite V-Simulator or V-Server Lite (version before 4.0.10.0) installed and running

No patch available for older versions without updateLocal access required reduces remote risk but increases insider threat concernMemory safety vulnerabilities (buffer overflow, out-of-bounds access)Could allow code execution at application privilege level

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Tellus Lite V-Simulator:< 4.0.10.04.0.10.0

V-Server Lite:< 4.0.10.04.0.10.0

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and local access to systems running Tellus Lite V-Simulator and V-Server Lite to authorized personnel only

HARDENINGImplement access controls on shared workstations to prevent unauthorized users from launching these applications

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Tellus Lite V-Simulator to version 4.0.10.0 or later using both required installation disks

HOTFIXUpdate V-Server Lite to version 4.0.10.0 or later using both required installation disks

CVEs (5)

CVE-2021-22637 CVE-2021-22655 CVE-2021-22653 CVE-2021-22639 CVE-2021-22641

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2bf8cb09-df35-42e6-80cd-e63ff88275e7