Published:2024/11/28 Last Updated:2024/11/28
JVNVU#97531313
Multiple vulnerabilities in FUJI ELECTRIC products
Overview
FUJI ELECTRIC V-SFT, TELLUS, TELLUS Lite, V-Server, and V-Server Lite contain multiple vulnerabilities.
Products Affected
CVE-2024-38309
- V-SFT v6.2.2.0 and earlier
- TELLUS v4.0.19.0 and earlier
- TELLUS Lite v4.0.19.0 and earlier
- TELLUS v4.0.19.0 and earlier
- TELLUS Lite v4.0.19.0 and earlier
- V-Server v4.0.19.0 and earlier
- V-Server Lite v4.0.19.0 and earlier
Description
Multiple vulnerabilities listed below exist in the remote monitoring software 'TELLUS' and 'TELLUS Lite', and the simulator module and the remote monitoring software 'V-Server' and 'V-Server Lite' contained in the graphic editor 'V-SFT' provided by FUJI ELECTRIC CO., LTD.
- Multiple Stack-based buffer overflow vulnerabilities in V-SFT, TELLUS, TELLLUS Lite (CWE-121)
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2024-38309
- Out-of-bounds read vulnerability in TELLUS and TELLUS Lite (CWE-125)
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2024-38389
- Out-of-bounds read vulnerability in V-Server and V-Server Lite (CWE-125)
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2024-38658
Impact
If a user opens a specially crafted file, information may be disclosed and/or arbitrary code may be executed.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| FUJI ELECTRIC CO., LTD. / Hakko Electronics Co., Ltd. | TELLUS and V-Server Improvement information Version4.0.20.0 (2450Q01,2450Q02,2450S03) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-38309 |
|
CVE-2024-38389 |
|
|
CVE-2024-38658 |
|
| JVN iPedia |
|