Headline
CVE-2023-41375: [Update notice] Kostac PLC Programming Software (KPP)|JTEKT ELECTRONICS CORPORATION
Use after free vulnerability exists in Kostac PLC Programming Software Version 1.6.11.0. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.
Sep. 12, 2023
- TOP
- News
- [Update notice] Kostac PLC Programming Software (KPP)
1.Overview
Multiple vulnerabilities were found in Kostac PLC Programming Software.
We will inform you of the contents and how to deal with them.
Please confirm the contents and apply the follow solution.
2.Products Affected
Product: Kostac PLC Programming Software (Former name: Koyo PLC Programming Software)
Version: Version 1.6.11.0 and earlier
3.Description
Kostac PLC Programming Software contains multiple vulnerabilities listed below.
Vulnerability 1) Double Free
When a specially crafted project file is opened in Kostac PLC Programming Software, memory is double freed while processing line number information.
This applies to project file saved with Kostac PLC Programming Software Version 1.6.9.0 or earlier.
CWE ID:
CWE-415
CVE ID:
CVE-2023-41374
CVSS v3:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base score: 7.8
Vulnerability 2) Use After Free
When a specially crafted project file is opened in Kostac PLC Programming Software, freed memory is used during the processing of information in the display column.
This applies to project file saved with Kostac PLC Programming Software Version 1.6.9.0 or earlier.
CWE ID:
CWE-416
CVE ID:
CVE-2023-41375
CVSS v3:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base score: 7.8
4.Impact
Information disclosure and/or arbitrary code execution may occur by having a user to open a specially crafted project file.
5.Solution
Update Kostac PLC Programming Software
The version that contains fixes for these vulnerabilities is as follows.
Version: Version 1.6.12.0 and above
Project file saved with version 1.6.9.0 or earlier must be re-saved with version 1.6.10.0 or later to enable tamper-proof feature. If you have such a file, please re-saved it.
The latest version can be downloaded from the following our website.
https://www.electronics.jtekt.co.jp/en/download/plc/
6.Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with us.
Our Advantages
Global business expanding enable us to product development required by the World and Era. Also,
advanced total power and development capabilities doesn’t make us stay just component producer.
View details