[Update notice] Screen Creator Advance 2 software of GC-A2 Series
We updated Screen Creator Advance2 for GC-A2 Series, and released installer of new version(Ver0113B01).
A vulnerability was found in Screen Creator Advance 2.
We will inform you of the contents and how to deal with it.
Please confirm the contents and apply the follow solution.
Product: Screen Creator Advance 2
Version: Prior to Ver.0.1.1.3 Build01
In prior to Ver.0.1.1.3 Build01, there is a vulnerability that allows you to authenticate without entering authentication information if you try remote control while satisfying multiple conditions.
This vulnerability will only be reproduced if the following conditions are met.
Screen Creator Advance 2 -> Function List-> Panel Settings-> Remote enable the “Use Tablet” checkbox.
The remote “Account # 1” or “Account # 2” checkbox is enabled.
The password is enabled, and the number of characters in the account name is 0.
A vulnerability becomes effective when running a project that meets all of the above conditions with an HMI.
If you try remote control with real time remote monitoring and control tool “Remote GC” when all the conditions of conditions are satisfied, you must enter your authentication information to log in, but you can log in without the authentication information.
JVN ID: JVN#50337155
CVSS v3 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 4.0
CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N Base Score: 2.1
The following products are affected by the vulnerability.
HMI GC-A2 series
Real time remote monitoring and control tool
Please install Screen Creator Advance 2 after Ver.0.1.1.3 Build 01. Please use installed Screen Creator Advance2, perform the Function List-> Panel Settings-> Remote reconfiguration. And please transfer the project to HMI.