JVNVU#94966432
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software
Overview
Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities.
Products Affected
- Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.9.0 and earlier
Description
Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.
Impact
Opening a specially crafted project file may result in information disclosure and/or arbitrary code execution.
CVE-2023-22419
When processing a comment block in stage information, the end of data cannot be verified and out-of-bounds read occurs.
CVE-2023-22421
The insufficient buffer size for the PLC program instructions leads to out-of-bounds read.
CVE-2023-22424
With the abnormal value given as the maximum number of columns for the PLC program, the process accesses the freed memory.
Solution
Update the software
Update Kostac PLC Programming Software to the latest version according to the information provided by the developer.
The developer released the following versions that contain fixes for these vulnerabilities.
- Kostac PLC Programming Software Version 1.6.10.0 and above
The latest update can be obtained from the developer's website listed below.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| JTEKT ELECTRONICS CORPORATION | Vulnerable | 2023/03/03 | JTEKT ELECTRONICS CORPORATION website |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-22419 |
|
CVE-2023-22421 |
|
|
CVE-2023-22424 |
|
| JVN iPedia |
|
Update History
- 2023/04/07
- Updated the information under the section [References]