Skip to main content

Hitachi
Contact UsContact Us

Hitachi Incident Response Team

hitachi-sec-2023-002 : Multiple Vulnerabilities in Hitachi EH-VIEW

Last Update: August 23, 2023

1. Overview

Multiple vulnerabilities have been discovered in Hitachi EH-VIEW, which could allow local attackers to potentially disclose information and execute arbitrary code on affected EH-VIEW installations. User interaction is required to exploit the vulnerabilities in that the user must open a malicious file.

CVE-2023-3495: Out-of-Bounds Write
The flaws (#1, #2) in EH-VIEW (KeypadDesigner) exist within the parsing of KBD files.

CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
CWE-787: Out-of-bounds Write

CVE-2023-39984: Improper Restriction of Operations within the Bounds of a Memory Buffer
The flaw in EH-VIEW (KeypadDesigner) exists within the parsing of KBD files.

CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CVE-2023-39985: Out-of-Bounds Write
The flaws (#1, #2) in EH-VIEW (Designer) exist within the parsing of UPR files.

CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
CWE-787: Out-of-bounds Write

CVE-2023-39986: Out-of-Bounds Read
The flaws (#1, #2, #3, #4) in EH-VIEW (Designer) exist within the parsing of UPR files.

CVSS:2.0 CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8]
CWE-125: Out-of-bounds Read

2. Affected Systems

  • Hitachi EH-VIEW
    cpe:/a:hitachi:eh-view

3. Impact

These vulnerabilities allow a users to potentially disclose information and to execute arbitrary code on affected installations of EH-VIEW.

4. Solution

The EH-VIEW has already reached End of Life (EOL) and is not supported anymore. Hitachi recommends that this product be retired.

5. References

6. Credit

Michael Heinzl reported these vulnerabilities.

7. Update history

August 23, 2023
  • This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)