JVNVU#92808077
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software
Overview
Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities.
Products Affected
- Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.14.0 and earlier
Description
Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.
- Out-of-bounds write (CWE-787)
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
- CVE-2024-47134
- Stack-based buffer overflow (CWE-121)
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
- CVE-2024-47135
- Out-of-bounds read (CWE-125)
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
- CVE-2024-47136
Impact
Having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier may cause a denial-of-service (DoS) condition, arbitrary code execution, and/or information disclosure because the issues exist in parsing of KPP project files.
Solution
Update the software
Update Kostac PLC Programming Software to the latest version according to the information provided by the developer.
The developer released the following version that contains fixes for these vulnerabilities.
- Kostac PLC Programming Software Version 1.6.15.0 and above
The latest update can be obtained from the developer's website listed below.
Apply workaroundThe developer states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
JTEKT ELECTRONICS CORPORATION | Vulnerable | 2024/10/02 | JTEKT ELECTRONICS CORPORATION website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2024-47134 |
CVE-2024-47135 |
|
CVE-2024-47136 |
|
JVN iPedia |
|