OTPulse
FeedAboutContact

Fuji Electric Tellus Lite V-Simulator

Plan Patch7.8ICS-CERT ICSA-22-354-01Dec 20, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Fuji Electric Tellus Lite V-Simulator versions 4.0.12.0 and earlier contain buffer overflow and out-of-bounds write vulnerabilities (CWE-787, CWE-121) in file parsing logic. Exploitation requires local code execution and is not remotely exploitable. An attacker could execute arbitrary code with user privileges through a crafted malicious file delivered via social engineering.

What this means
What could happen
An attacker with local access to a system running Tellus Lite V-Simulator could execute arbitrary code, potentially gaining control of the engineering workstation and any connected control systems or configuration tools.
Who's at risk
Energy sector operators and system integrators using Fuji Electric Tellus Lite V-Simulator, primarily engineering and maintenance staff on workstations where the simulation and configuration tool is installed.
How it could be exploited
An attacker must deceive a user into opening a malicious email attachment or link on a system where Tellus Lite V-Simulator is installed. The vulnerability (buffer overflow/out-of-bounds write) is triggered when processing the malicious file, allowing code execution with user privileges. This is typically a social engineering attack vector combined with the local code execution flaw.
Prerequisites
  • Local access to a system running Tellus Lite V-Simulator version 4.0.12.0 or earlier
  • User interaction required: victim must open a malicious email attachment or click a link
  • Tellus Lite V-Simulator application installed and running on the target system
local code executionbuffer overflow vulnerabilityuser interaction required (social engineering)affects engineering workstations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Tellus Lite V-Simulator:≤ 4.0.12.04.0.15.0
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGTrain users not to click links or open attachments from unsolicited email messages
WORKAROUNDDeploy email filtering to block suspicious attachments and external links
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Tellus Lite V-Simulator to version 4.0.15.0 or later
Long-term hardening
0/1
HARDENINGIsolate engineering workstations from general corporate email and web browsing to limit exposure to social engineering attacks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6b2d7b6b-bdda-403e-bfe8-e636cc3f75a5
Fuji Electric Tellus Lite V-Simulator | CVSS 7.8 - OTPulse