CVE-2024-37029 Fuji Electric CVE debrief

Who should care

Organizations using Fuji Electric Tellus Lite V-Simulator for HMI development in industrial automation environments, particularly engineering workstations and OT development systems. Critical infrastructure operators in manufacturing, energy, and process industries relying on Fuji Electric HMI solutions should prioritize patching.

Technical summary

CVE-2024-37029 is a stack-based buffer overflow in Fuji Electric Tellus Lite V-Simulator versions prior to v4.0.20.0. The vulnerability can be triggered when processing malformed input, potentially allowing an attacker to execute arbitrary code in the context of the application. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a local attack vector requiring user interaction but no privileges, with high impact on confidentiality, integrity, and availability. This affects industrial automation engineering environments where Tellus Lite V-Simulator is used for HMI project development and testing.

Defensive priority

HIGH

Recommended defensive actions

• Update Fuji Electric Tellus Lite V-Simulator to version v4.0.20.0 or later.
• Restrict local access to systems running Tellus Lite V-Simulator to authorized personnel only.
• Implement application whitelisting and execution controls on engineering workstations.
• Monitor for anomalous process execution or unexpected memory corruption events in Tellus Lite V-Simulator.
• Validate integrity of project files before opening in Tellus Lite V-Simulator.

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-24-165-14. CVSS vector confirms local attack vector with user interaction required. Vendor remediation guidance specifies update to v4.0.20.0.

Official resources