FATEK Automation FvDesigner

Monitor7.8ICS-CERT ICSA-21-217-02Aug 5, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FATEK FvDesigner versions 1.5.88 and earlier contain memory corruption vulnerabilities (CWE-824, CWE-121, CWE-787) that allow local code execution. These are exploitable only with local access and user interaction. FATEK has not responded to CISA requests for a patch, and no fix is available. No public exploits currently exist for these vulnerabilities.

What this means

What could happen

An attacker with local access to a machine running FvDesigner could execute arbitrary code with the privileges of the user running the application, potentially compromising engineering workstations and the ability to modify or monitor industrial control configurations.

Who's at risk

Engineering teams and automation technicians at water utilities, electrical utilities, and manufacturing facilities that use FATEK FvDesigner for PLC and industrial controller programming and configuration. This affects the ability to safely maintain and update control system configurations.

How it could be exploited

An attacker must first gain local access to a machine running FvDesigner. This could happen through social engineering (tricking a user to click a malicious link or open an infected attachment), physical access to an engineering workstation, or lateral movement from another compromised system. Once local, the attacker can exploit memory corruption vulnerabilities (buffer overflow, use-after-free) to run arbitrary code in the context of the FvDesigner process.

Prerequisites

Local access to a computer running FvDesigner
User must run or interact with FvDesigner application
Attacker can supply malicious input to trigger the memory corruption (e.g., malformed project file, crafted input via GUI interaction)

no patch availablememory corruption vulnerabilities (buffer overflow, use-after-free)affects engineering workstations used for safety-critical system configuration

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

FvDesigner:≤ 1.5.88No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGEducate engineering staff to not click links or open attachments from unsolicited emails, especially those requesting to open project files or software downloads

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict physical and remote access to engineering workstations running FvDesigner to authorized personnel only

WORKAROUNDImplement application whitelisting to prevent unauthorized executables from running on engineering workstations

Mitigations - no patch available

0/2

FvDesigner: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDiscontinue use of FvDesigner version 1.5.88 and below, or contact FATEK to evaluate alternative products, as no vendor fix is planned

HARDENINGMonitor and log all modifications to FvDesigner project files and configurations

CVEs (3)

CVE-2021-32931 CVE-2021-32947 CVE-2021-32939

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a616802-53de-490c-99a4-009f7fdc4140