This morning the DHS ICS-CERT published an advisory for a number of vulnerabilities in the Panasonic FPWIN Pro application. The vulnerabilities were reported through ZDI by Steven Seeley. Panasonic has developed a new version of the software that mitigates the vulnerability. There is no indication that Seeley has been given the opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Heap-based buffer overflow vulnerabilities - CVE-2016-4499;
• Access of uninitialized pointer - CVE-2016-4498;
• Out-of-bounds write - CVE-2016-4496; and
• Type confusion - CVE-2016-4497
ICS-CERT reports that a social engineering attack would be required to exploit these vulnerabilities.