Published:2023/02/03  Last Updated:2023/04/07

JVNVU#98917488
Multiple vulnerabilities in JTEKT ELECTRONICS Screen Creator Advance 2

Overview

Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities.

Products Affected

  • Screen Creator Advance 2 Ver.0.1.1.4 Build01 and earlier

Description

Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.

  • Out-of-bound write (CWE-787) - CVE-2023-22345
    CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • Out-of-bound read (CWE-125) - CVE-2023-22346, CVE-2023-22347, CVE-2023-22349, CVE-2023-22350, CVE-2023-22353
    CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
  • Use-after-free (CWE-416) - CVE-2023-22360
    CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8

Impact

Having a user of Screen Creator Advance 2 to open a specially crafted project file causes the following vulnerabilities, which may result in information disclosure and/or arbitrary code execution.

CVE-2023-22345
Out-of-bound write occurs due to lack of error handling process when out of specification errors are detected.

CVE-2023-22346
Out-of-bound read occurs because the end of data cannot be verified when processing template information.

CVE-2023-22347
Out-of-bound read occurs because the end of data cannot be verified when processing file structure information.

CVE-2023-22349
Out-of-bound read occurs because the end of data cannot be verified when processing screen management information.

CVE-2023-22350
Out-of-bound read occurs because the end of data cannot be verified when processing parts management information.

CVE-2023-22353
Out-of-bound read occurs because the end of data cannot be verified when processing control management information.

CVE-2023-22360
Use-after-free occurs due to lack of error handling process even when an error was detected.

Solution

Update the software
Update Screen Creator Advance 2 to the latest version according to the information provided by the developer.
The developer released below version that contains fixes for these vulnerabilities.

  • Screen Creator Advance 2 Ver.0.1.1.4 Build01A and above

The latest update can be obtained from the developer's website listed below.

Vendor Status

Vendor Status Last Update Vendor Notes
JTEKT ELECTRONICS CORPORATION Vulnerable 2023/02/03 JTEKT ELECTRONICS CORPORATION website

References

  1. ICS Advisory | ICSA-23-096-02
    JTEKT ELECTRONICS Screen Creator Advance 2

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-22345
CVE-2023-22346
CVE-2023-22347
CVE-2023-22349
CVE-2023-22350
CVE-2023-22353
CVE-2023-22360
JVN iPedia

Update History

2023/04/07
Updated the information under the section [References]