Panasonic Control FPWin Pro7

Monitor7.8ICS-CERT ICSA-23-192-03Jul 11, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Control FPWIN Pro7 contains multiple buffer overflow and pointer dereference vulnerabilities (CWE-121, CWE-843, CWE-119) that could result in information disclosure or remote code execution on affected installations. The vulnerabilities are not remotely exploitable and require local access and user interaction. Panasonic has released Control FPWIN Pro7 version 7.7.0.0 to address these issues. No known public exploits exist for these vulnerabilities.

What this means

What could happen

An attacker with local access to a machine running Control FPWIN Pro7 could execute arbitrary code or steal sensitive data from engineering projects and control configurations. This could allow them to modify PLC logic, steal proprietary control strategies, or sabotage industrial processes.

Who's at risk

Panasonic Control FPWIN Pro7 engineering workstations used by automation engineers and technicians at water utilities, electric utilities, manufacturing plants, and other facilities that program and maintain PLCs and industrial control systems. This affects any organization using Control FPWIN to develop or modify control logic.

How it could be exploited

An attacker must gain local access to a computer running Control FPWIN Pro7 (via malware, USB device, or physical access). Once on the machine, they can exploit buffer overflow or pointer dereference vulnerabilities to execute arbitrary code or read memory containing sensitive configuration data. The attack requires user interaction (opening a malicious file or project).

Prerequisites

Local access to engineering workstation running Control FPWIN Pro7
User must open or interact with a malicious project file or file passed to the application
No special privileges required on the workstation

No authentication required for exploitationLocal attack vector only (lower risk than remote)User interaction required (file opening)Low complexity attackAffects engineering workstations that can directly reprogram control systemsVendor patch is available

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Control FPWIN: *All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and remote access to engineering workstations running Control FPWIN to authorized personnel only

HARDENINGEducate engineers on safe file handling practices and risks of opening project files from untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Control FPWIN Pro7 to version 7.7.0.0 or later

Long-term hardening

0/1

HARDENINGIsolate control system engineering networks from business networks using firewalls and air-gapping where possible

CVEs (3)

CVE-2023-28728 CVE-2023-28729 CVE-2023-28730

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8879fd38-f524-4708-a30e-b2da20eee363