JVNVU#92808077
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software

Overview

Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities.

Products Affected

• Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.14.0 and earlier

Description

Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.

• Out-of-bounds write (CWE-787)
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • CVE-2024-47134
• Stack-based buffer overflow (CWE-121)
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • CVE-2024-47135
• Out-of-bounds read (CWE-125)
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • CVE-2024-47136

Impact

Having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier may cause a denial-of-service (DoS) condition, arbitrary code execution, and/or information disclosure because the issues exist in parsing of KPP project files.

Solution

Update the software
Update Kostac PLC Programming Software to the latest version according to the information provided by the developer.
The developer released the following version that contains fixes for these vulnerabilities.

• Kostac PLC Programming Software Version 1.6.15.0 and above

The latest update can be obtained from the developer's website listed below.

• PLC - Download｜JTEKT ELECTRONICS CORPORATION

Apply workaround
The developer states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.