Fuji Electric’s Control and Operational Systems at Risk of Code-Execution Bugs

In late January, the Cybersecurity and Infrastructure Security Agency (CISA), published the advisory and described vulnerabilities related to Fuji Electric Tellus Lite V-Simulator and V-Server Lite.

According to the advisory, successful exploitation of these vulnerabilities could allow an attacker to execute code under the application’s privileges.

 

Fuji Electric: A Company Overview

Founded in 1923, Fuji Electric focuses on developing electricity infrastructure to ensure stable energy supply and optimization.

 

Logo used courtesy of Fuji Electric.

 

The company combines power electronics products with measuring instruments and the IoT, enabling plant automation and visualization advancement. In terms of electronic devices, Fuji Electric specializes in manufacturing semiconductors and magnetic disks.

In power generation, the firm builds solutions related to renewable energy, thermal power, and nuclear power. Fuji Electric also provides food safety and security and fosters automation and energy conservation.

 

Affecting Tellus Lite V-Simulator and V-Server Lite

Built by Fuji Electric to support these automation goals, the Tellus Lite V-Simulator and V-Server Lite are part of a single HMI system. The solution allows for the real-time remote monitoring and collection of production data and provides control of several industrial and critical-infrastructure gear. 

The HMI system can be deployed to interface with different manufacturers’ PLCs, temperature controllers, inverters, and other components.

 

An inverter manufacturing facility. Image courtesy of Fuji Electric.

 

The new vulnerabilities discovered by a member of Vingroup and an anonymous researcher working with Trend Micro’s Zero Day Initiative would potentially allow attackers to execute code under the application’s privileges.

 

The CISA Advisory

According to the Agency, the bugs CISA made public require a low skill level to exploit, presenting a CVSS v3 base score of 7.8.

The Common Vulnerability Scoring System (CVSS) represents an open industry standard designed to assess the severity of computer system security vulnerabilities, ranging from 0 to 10, with 10 being the most severe. According to CISA, the new vulnerabilities are not exploitable remotely, so attackers would have to gain initial access to the user’s network before executing malicious code.

 

A graphic showing the communication between the Tellus-HMI and the PLC. Image courtesy of Fuji Electric. 

 

Five different kinds of security vulnerabilities were found in the Tellus Lite V-Simulator and V-Server Lite platform. All of them were identified in how the application elaborates project files, thus allowing attackers to build a potentially malicious project file that may allow arbitrary code execution.

 

Blinding HMI Monitoring Systems

While most industrial environments see their operational technology (OT) physical equipment isolated and disconnected from the internet, the presence of HMI devices can often provide a connection between OT and informational technology (IT) equipment.

This can consequently constitute a vulnerability for industrial control software (ICS).

For example, successful exploitation of the Fuji Electric bugs reported by CISA could have resulted in damage to manufacturing equipment on the line, as well as potential production slowdowns and data loss. The system could also have been manipulated to alter the data displayed on the HMI monitoring systems, blinding operators to an attack happening on the remote equipment.

Following the CISA report publication, Fuji Electric released an updated version of its V-Simulator and V-Server Lite HMI, bringing the platform to v4.0.10.0 and patching the reported vulnerabilities.

The document follows another one by the Agency last December, which discovered vulnerabilities in GE Healthcare imaging and ultrasound products.

 

---

Featured image courtesy of Fuji Electric.