CVE-2023-41374 – A double free vulnerability in Kostac PLC Progr... (How to Fix)

Q: What is the severity of CVE-2023-41374?

CVE-2023-41374 has a CVSS score of 7.8 (HIGH). A double free vulnerability in Kostac PLC Programming Software allows arbitrary code execution when users open specially crafted project files. This affects versions 1.6.11.0 and earlier, particularly when opening project files saved with versions 1.6.9.0 and earlier. Industrial control system operators and engineers using this software are at risk.

📋 TL;DR

A double free vulnerability in Kostac PLC Programming Software allows arbitrary code execution when users open specially crafted project files. This affects versions 1.6.11.0 and earlier, particularly when opening project files saved with versions 1.6.9.0 and earlier. Industrial control system operators and engineers using this software are at risk.

💻 Affected Systems

Products:

Kostac PLC Programming Software

Versions: Version 1.6.11.0 and earlier

Operating Systems: Windows (assumed based on typical PLC software)

Default Config Vulnerable: ⚠️ Yes

Notes: Project files saved with Kostac PLC Programming Software Version 1.6.9.0 and earlier are particularly dangerous when opened in vulnerable versions.

📦 What is this software?

Kostac Plc by Jtekt

View all CVEs affecting Kostac Plc →

Kostac Plc by Jtekt

View all CVEs affecting Kostac Plc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the engineering workstation, potentially enabling lateral movement to PLCs and industrial networks.

🟠

Likely Case

Local privilege escalation or remote code execution on the engineering workstation when malicious project files are opened.

🟢

If Mitigated

No impact if proper file validation and software updates are implemented as recommended by the vendor.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly internet-exposed.

🏢 Internal Only: HIGH - Attackers with internal access could plant malicious project files or use social engineering to trigger exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious project files. The vulnerability is in parsing KPP project files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.6.10.0 or later

Vendor Advisory: https://www.electronics.jtekt.co.jp/en/topics/202309125391/

Restart Required: Yes

Instructions:

1. Download Kostac PLC Programming Software Version 1.6.10.0 or later from official vendor sources. 2. Install the update following vendor instructions. 3. Restart the system. 4. Re-save all existing project files using the updated software to apply protection mechanisms.

🔧 Temporary Workarounds

Project File Re-saving

windows

Re-save all existing project files using Kostac PLC Programming Software Version 1.6.10.0 or later to apply file alteration prevention

File Access Restrictions

all

Restrict opening of KPP project files from untrusted sources and implement file integrity checking

🧯 If You Can't Patch

Isolate engineering workstations from general network access and implement strict file transfer controls
Implement application whitelisting to prevent execution of unauthorized code and monitor for suspicious file parsing activities

🔍 How to Verify

Check if Vulnerable:

Check software version in Help > About or program properties. If version is 1.6.11.0 or earlier, system is vulnerable.

Check Version:

Check application properties or use Windows 'wmic product get name,version' to identify installed version

Verify Fix Applied:

Verify software version is 1.6.10.0 or later and confirm project files have been re-saved using the updated version.

📡 Detection & Monitoring

Log Indicators:

Unexpected crashes of Kostac software
Unusual file parsing errors in application logs
Creation of unexpected processes from Kostac executable

Network Indicators:

Unusual outbound connections from engineering workstation following file opening
File transfers of KPP project files from untrusted sources

SIEM Query:

Process Creation where Image contains 'kostac' AND ParentImage contains 'explorer.exe' AND CommandLine contains '.kpp'

📊 Metadata

CVE ID: CVE-2023-41374

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-415

Published: September 20, 2023

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU95282683/index.html Third Party Advisory
https://www.electronics.jtekt.co.jp/en/topics/202309125391/ Vendor Advisory
https://jvn.jp/en/vu/JVNVU95282683/index.html Third Party Advisory
https://www.electronics.jtekt.co.jp/en/topics/202309125391/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41374, you might also want to check these: