1 Advisory and 3 Updates Published – 1-26-21

Today CISA’s NCCIC-ICS published a control system security update for products from Fuji Electric and updated three advisories for products from Mitsubishi, Treck and Eaton.

Fuji Advisory

This advisory describes five vulnerabilities in the Fuji Tellus Lite V-Simulator and V-Server Lite. The vulnerabilities were reported by Kimiya, Khangkito – Tran Van Khang of VinCSS (Member of Vingroup), and an anonymous researcher via the Zero Day Initiative. Fuji has a newer version that mitigates the vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

Stack-based buffer overflow - CVE-2021-22637,

Out-of-bounds read - CVE-2021-22655,

Out-of-bounds write - CVE-2021-22653,

Access of uninitialized pointer - CVE-2021-22639, and

Heap-based buffer overflow - CVE-2021-22641

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to execute code under the privileges of the application.

Mitsubishi Update

This update provides additional information on an advisory that was originally published on September 1^st, 2020. The new information includes updated affected version and mitigation measures for:

• R12CCPU-V,

• RD55UP06-V,

• RD55UP12-V,

• RJ71GN11-T2,

• Q03UDECPU,

• QnUDEHCPU,

• QnUDVCPU,

• QnUDPVCPU

• LnCPU(-P),

• L26CPU-(P)BT,

• RnSFCPU,

• RnPCPU,

• RnPSFCPU,

• FX5-ENET,

• FX5-ENET/IP,

• FX3U-ENET-ADP,

• FX3GE-**M*/**,

• FX3U-ENET,

• FX3U-ENET-L,

• FX3U-ENET-P502,

• FX5-CCLGN-MS

• FR-A800-E Series,

• FR-F800-E Series,

• FR-A8NCG,

• FR-E800-EPA Series, and

• FR-E800-EPB Series

Treck Update

This update provides additional information on an advisory that was originally published on December 18^th, 2020. The new information includes providing the researcher names from Intel that reported the advisory.

Eaton Update

This update provides additional information on an advisory that was originally reported on January 11^th, 2021. The new information includes the announcement of the availability of a patch that mitigates the vulnerability.