JVNVU#95282683
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software

Overview

Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities.

Products Affected

• Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.11.0 and earlier

Description

Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.

• Double free (CWE-415) - CVE-2023-41374

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Use-after-free (CWE-416) - CVE-2023-41375

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

Impact

Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files.

Solution

Update the software
Update Kostac PLC Programming Software to the latest version according to the information provided by the developer.
The developer released the following versions that contain fixes for these vulnerabilities.

• Kostac PLC Programming Software Version 1.6.12.0 and above

The latest update can be obtained from the developer's website listed below.

• PLC - Download｜JTEKT ELECTRONICS CORPORATION

Apply workaround
The developer states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.