1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: FESTO, FESTO Didactic
- Equipment: CIROS Studio / Education, Automation Suite, FluidDraw, FluidSIM, MES-PC
- Vulnerability: Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
FESTO, FESTO Didactic reports that the following products are affected:
- FESTO Didactic CIROS Studio / Education: 6.0.0 – 6.4.6
- FESTO Didactic CIROS Studio / Education: 7.0.0 – 7.1.7
- FESTO Festo Automation Suite: <= 2.6.0.481
- FESTO FluidDraw: P6 <= 6.2k
- FESTO FluidDraw: 365 <= 7.0a
- FESTO Didactic FluidSIM: 5 all versions
- FESTO Didactic FluidSIM: 6 <= 6.1c
- FESTO Didactic MES-PC: shipped before December 2023
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
CVE-2023-3935 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 PRODUCT IMPACT
Product-specific impact for an affected product vulnerable to the CVE:
- CVE-2023-3935
- (FESTO FluidDraw; FESTO FluidDraw; FESTO Festo Automation Suite): A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories