Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    hitachi-sec-2023-002 : Multiple Vulnerabilities in Hitachi EH-VIEW

    Last Update: August 23, 2023

    1. Overview

    Multiple vulnerabilities have been discovered in Hitachi EH-VIEW, which could allow local attackers to potentially disclose information and execute arbitrary code on affected EH-VIEW installations. User interaction is required to exploit the vulnerabilities in that the user must open a malicious file.

     

    CVE-2023-3495: Out-of-Bounds Write
    The flaws (#1, #2) in EH-VIEW (KeypadDesigner) exist within the parsing of KBD files.

     

    CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
    CWE-787: Out-of-bounds Write

     

    CVE-2023-39984: Improper Restriction of Operations within the Bounds of a Memory Buffer
    The flaw in EH-VIEW (KeypadDesigner) exists within the parsing of KBD files.

     

    CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
    CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

     

    CVE-2023-39985: Out-of-Bounds Write
    The flaws (#1, #2) in EH-VIEW (Designer) exist within the parsing of UPR files.

     

    CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
    CWE-787: Out-of-bounds Write

     

    CVE-2023-39986: Out-of-Bounds Read
    The flaws (#1, #2, #3, #4) in EH-VIEW (Designer) exist within the parsing of UPR files.

     

    CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
    CWE-125: Out-of-bounds Read

    2. Affected Systems

    • Hitachi EH-VIEW
      cpe:/a:hitachi:eh-view

    3. Impact

    These vulnerabilities allow a users to potentially disclose information and to execute arbitrary code on affected installations of EH-VIEW.

    4. Solution

    The EH-VIEW has already reached End of Life (EOL) and is not supported anymore. Hitachi recommends that this product be retired.

    5. References

    CVE-2023-3495 (** UNSUPPORTED WHEN ASSIGNED **)
    https://www.cve.org/CVERecord?id=CVE-2023-3495

    CVE-2023-39984 (** UNSUPPORTED WHEN ASSIGNED **)
    https://www.cve.org/CVERecord?id=CVE-2023-39984

    CVE-2023-39985 (** UNSUPPORTED WHEN ASSIGNED **)
    https://www.cve.org/CVERecord?id=CVE-2023-39985

    CVE-2023-39986 (** UNSUPPORTED WHEN ASSIGNED **)
    https://www.cve.org/CVERecord?id=CVE-2023-39986

    6. Credit

    Michael Heinzl reported these vulnerabilities.

    7. Update history

    August 23, 2023

    • This webpage was newly created and published.

    Masato Terada (HIRT) and Naoko Ohnishi (HIRT)