[Update notice] HMI GC-A2 series
1.Overview
Multiple vulnerabilities were found in HMI GC-A2 series.
We will inform you of the contents and how to deal with them.
Please confirm the contents and apply the follow solution.
2.Products Affected
The following products are affected by the vulnerability.
| Products | Firmware Version |
|---|---|
| GC-A22W-CW | All Versions |
| GC-A24W-C(W) | All Versions |
| GC-A26W-C(W) | All Versions |
| GC-A24 | All Versions |
| GC-A24-M | All Versions |
| GC-A25 | All Versions |
| GC-A26 | All Versions |
| GC-A26-J2 | All Versions |
| GC-A27-C | All Versions |
| GC-A28-C | All Versions |
3.Description
HMI GC-A2 series contain multiple vulnerabilities listed below.
3-1.Denial-of-service (DoS) vulnerability in FTP service (CWE-400) – CVE-2023-41963
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base score: 7.5
CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:C Base score: 7.8
3-2. Denial-of-service (DoS) vulnerability in commplex-link service (CWE-400) – CVE-2023-49140
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base score: 7.5
CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:C Base score: 7.8
3-3. Denial-of-service (DoS) vulnerability in rfe service (CWE-400) – CVE-2023-49143
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base score: 7.5
CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:C Base score: 7.8
3-4. Denial-of-service (DoS) vulnerability in NetBIOS service (CWE-400) – CVE-2023-49713
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base score: 7.5
CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:C Base score: 7.8
4.Impact
A remote attacker may be able to cause a denial of service (DoS) condition by sending specially crafted packets to specific ports.
A denial of service (DoS) may cause the HMI system to stop.
Restarting the HMI is required to recover from a system stopped state.
5.Mitigations and Protections
When connecting the HMI GC-A2 series to the Internet, use a firewall or virtual private network (VPN) to prevent unauthorized access.