TippingPoint Zero Day Initiative
 

Fuji Electric Monitouch V-SFT Insecure Configuration Privilege Escalation Vulnerability

ZDI-17-646: August 10th, 2017

CVE ID

CVSS Score

Affected Vendors

    Fuji Electric

Affected Products

    Monitouch V-SFT

Vulnerability Details


This vulnerability allows local attackers to escalate their privileges on vulnerable installations of Fuji Electric Monitouch V-SFT. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the configuration of Monitouch V-SFT. The software is installed with weak access controls on the executable files. An attacker can leverage this vulnerability to execute code in the context of any user of the software.

Vendor Response

Fuji Electric has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2016-09-19 - Vulnerability reported to vendor
    2017-08-10 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:
    Fritz Sands of the Zero Day Initiative