https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02 <br/></td> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"/>https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02 <br/></td> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-5597

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Jun 10, 2024 / Updated: 5mo ago

010
CVSS 8.5EPSS 0.07%High
CVE info copied to clipboard

Summary

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fuji Electric Monitouch V-SFT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of V9 files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.

Impact

This vulnerability could allow an attacker to execute arbitrary code on affected Fuji Electric Monitouch V-SFT systems, leading to complete system compromise. The attacker would need local access, but would not require any privileges on the system. The CVSS v3 base score is 9.8, indicating a critical severity. The impact on confidentiality, integrity, and availability is rated as HIGH, meaning the vulnerability could result in a total loss of protection, modification of all system files, or a complete shutdown of the affected resource.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

Fuji Electric has issued an update to correct this vulnerability. The patch addresses versions of Monitouch V-SFT prior to 6.2.3.0. More details can be found at: https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02

Mitigation

1. Apply the software update provided by Fuji Electric as soon as possible to versions prior to 6.2.3.0. 2. Restrict local access to Monitouch V-SFT systems to trusted users only. 3. Implement the principle of least privilege for user accounts. 4. Educate users about the risks of visiting malicious pages or opening suspicious files. 5. Consider implementing application whitelisting to prevent unauthorized code execution. 6. Monitor system logs for any suspicious activities. 7. Keep all software and systems up-to-date with the latest security patches.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-5597. See article

May 31, 2024 at 10:55 AM / ICS Advisories
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 5, 2024 at 1:18 PM
CVE Assignment

NVD published the first details for CVE-2024-5597

Jun 10, 2024 at 5:16 PM
CVSS

A CVSS base score of 7.8 has been assigned.

Jun 10, 2024 at 5:21 PM / nvd
EPSS

EPSS Score was set to: 0.07% (Percentile: 28.7%)

Jun 11, 2024 at 3:51 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Jun 12, 2024 at 6:15 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380467)

Sep 10, 2024 at 7:53 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 8:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Fujielectric/monitouch_v-sft
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-564/
+null more

Vendor Advisory

ZDI-24-564: Fuji Electric Monitouch V-SFT V9 File Parsing Type Confusion Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fuji Electric Monitouch V-SFT. Fuji Electric has issued an update to correct this vulnerability.

News

US-CERT Vulnerability Summary for the Week of June 10, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of June 10, 2024
Vulnerability Summary for the Week of June 10, 2024
Vulnerability Summary for the Week of June 10, 2024 bjackson Jun 17, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info actpro -- extra_product_options_for_woocommerce Missing Authorization vulnerability in actpro Extra Product Options for WooCommerce.This issue affects Extra Product Options for WooCommerce: from n/a through 3.0.6. 2024-06-10 8.8 CVE-2024-35727 audit@patchstack.com adfinis--document-merge-service Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed. 2024-06-11 9.9 CVE-2024-37301 security-advisories@github.com security-advisories@github.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. 2024-06-13 9.8 CVE-2024-34102 psirt@adobe.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but admin privileges are required 2024-06-13 9.1 CVE-2024-34108 psirt@adobe.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation.
Security Bulletin 12 Jun 2024 - Cyber Security Agency of Singapore
Security Bulletin 12 Jun 2024 Cyber Security Agency of Singapore
CVE-2024-5597
High Severity Description Fuji Electric Monitouch V-SFT is vulnerable to a type confusion, which could cause a crash or code execution. Read more at https://www.tenable.com/cve/CVE-2024-5597
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI