[Update notice] Screen Creator Advance 2 software of GC-A2 Series

Mar. 31, 2023

1.Overview

A vulnerability was found in Screen Creator Advance 2.
We will inform you of the contents and how to deal with it.
Please confirm the contents and apply the follow solution.

2.Products Affected

Product: Screen Creator Advance 2
Version: Prior to Ver.0.1.1.4 Build01A

3.Description

Screen Creator Advance 2 contains a vulnerability listed below.

Vulnerability) Improper Restriction of Operations within the Bounds of a Memory Buffer

When a project file is opened in Screen Creator Advance 2, the process of reading the control information associated with the screen information contained in the file does not properly check the size of the data being handled.
Therefore, it is possible to read and write memory that is out of range by crafting the size in the project file in advance.

CWE ID:	CWE-119
CVE ID:	CVE-2023-25755
CVSS v3:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base score: 7.8

4.Impact

Information disclosure and/or arbitrary code execution may occur by having a user to open a specially crafted project file.

5.Solution

Update Screen Creator Advance 2

The version that contains a fix for this vulnerability is as follows.
The version not only addresses the vulnerability, but also takes measures to prevent crafted project file from being opened.

Version: Ver.0.1.1.4 Build01B and above

The latest version can be downloaded from the following our website.
https://www.electronics.jtekt.co.jp/en/download/hmi/

6.Credit

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with us.