CVE-2023-3495: Multiple Vulnerabilities in Hitachi EH-VIEW : Hitachi Incident Response Team : Hitachi

Last Update: August 23, 2023

1. Overview

Multiple vulnerabilities have been discovered in Hitachi EH-VIEW, which could allow local attackers to potentially disclose information and execute arbitrary code on affected EH-VIEW installations. User interaction is required to exploit the vulnerabilities in that the user must open a malicious file.

CVE-2023-3495: Out-of-Bounds Write
The flaws (#1, #2) in EH-VIEW (KeypadDesigner) exist within the parsing of KBD files.

CVE-2023-39984: Improper Restriction of Operations within the Bounds of a Memory Buffer
The flaw in EH-VIEW (KeypadDesigner) exists within the parsing of KBD files.

CVE-2023-39985: Out-of-Bounds Write
The flaws (#1, #2) in EH-VIEW (Designer) exist within the parsing of UPR files.

CVE-2023-39986: Out-of-Bounds Read
The flaws (#1, #2, #3, #4) in EH-VIEW (Designer) exist within the parsing of UPR files.

2. Affected Systems

• Hitachi EH-VIEW
  cpe:/a:hitachi:eh-view

3. Impact

These vulnerabilities allow a users to potentially disclose information and to execute arbitrary code on affected installations of EH-VIEW.

4. Solution

The EH-VIEW has already reached End of Life (EOL) and is not supported anymore. Hitachi recommends that this product be retired.

5. References

• CVE-2023-3495 (** UNSUPPORTED WHEN ASSIGNED **)
  https://www.cve.org/CVERecord?id=CVE-2023-3495
• CVE-2023-39984 (** UNSUPPORTED WHEN ASSIGNED **)
  https://www.cve.org/CVERecord?id=CVE-2023-39984
• CVE-2023-39985 (** UNSUPPORTED WHEN ASSIGNED **)
  https://www.cve.org/CVERecord?id=CVE-2023-39985
• CVE-2023-39986 (** UNSUPPORTED WHEN ASSIGNED **)
  https://www.cve.org/CVERecord?id=CVE-2023-39986

6. Credit

Michael Heinzl reported these vulnerabilities.

7. Update history

August 23, 2023

• This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)

• page top

• Security Information