Sign-up

ID

VAR-201412-0588


CVE

CVE-2014-7251


TITLE

Yokogawa FAST/TOOLS XML External entity injection vulnerability

Trust: 0.8

sources: IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08646

DESCRIPTION

XML external entity (XXE) vulnerability in the WebHMI server in Yokogawa Electric Corporation FAST/TOOLS before R9.05-SP2 allows local users to cause a denial of service (CPU or network traffic consumption) or read arbitrary files via unspecified vectors. FAST/TOOLS provided by Yokogawa Electric Corporation contains a vulnerability where XML external entity (XXE) references are not properly restricted (CWE-611). Timur Yunusov, Alexey Osipov and Ilya Karpov of Positive Technologies reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.When opening a project with a specially crafted XML file, information managed by the product may be disclosed or may become a victim of a denial-of-service (DoS). The FAST/TOOLS software package is a distributed data acquisition and monitoring (SCADA) system. Yokogawa FAST/TOOLS has an XML external entity injection vulnerability that an attacker can exploit to obtain sensitive information or initiate a denial of service attack. This may lead to further attacks. Yokogawa FAST/TOOLS R9.01 through R9.05 are vulnerable. The system provides functions such as real-time event manager, data alarm management, data report and trend graph

Trust: 2.7

sources: NVD: CVE-2014-7251 // JVNDB: JVNDB-2014-000141 // CNVD: CNVD-2014-08646 // BID: 71379 // IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-75196

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08646

AFFECTED PRODUCTS

vendor:yokogawamodel:fast\/toolsscope:eqversion:r9.04

Trust: 1.6

vendor:yokogawamodel:fast\/toolsscope:eqversion:r9.02

Trust: 1.6

vendor:yokogawamodel:fast\/toolsscope:eqversion:r9.05

Trust: 1.6

vendor:yokogawamodel:fast\/toolsscope:eqversion:r9.01

Trust: 1.6

vendor:yokogawamodel:fast\/toolsscope:eqversion:r9.03

Trust: 1.6

vendor:yokogawa electricmodel:fast/toolsscope:eqversion:r9.01 through r9.05

Trust: 0.8

vendor:yokogawa electricmodel:fast/toolsscope: - version: -

Trust: 0.6

vendor:yokogawamodel:fast/tools r9.05scope: - version: -

Trust: 0.3

vendor:yokogawamodel:fast/tools r9.01scope: - version: -

Trust: 0.3

vendor:yokogawamodel:fast/tools r9.05-sp2scope:neversion: -

Trust: 0.3

vendor:fast toolsmodel:r9.01scope: - version: -

Trust: 0.2

vendor:fast toolsmodel:r9.02scope: - version: -

Trust: 0.2

vendor:fast toolsmodel:r9.03scope: - version: -

Trust: 0.2

vendor:fast toolsmodel:r9.04scope: - version: -

Trust: 0.2

vendor:fast toolsmodel:r9.05scope: - version: -

Trust: 0.2

sources: IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08646 // BID: 71379 // JVNDB: JVNDB-2014-000141 // CNNVD: CNNVD-201412-032 // NVD: CVE-2014-7251

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-7251
value: LOW

Trust: 1.0

VENDOR: JVNDB-2014-000141
value: LOW

Trust: 0.8

CNVD: CNVD-2014-08646
value: LOW

Trust: 0.6

CNNVD: CNNVD-201412-032
value: LOW

Trust: 0.6

IVD: b2ad0084-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

VULHUB: VHN-75196
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-7251
severity: LOW
baseScore: 3.2
vectorString: AV:L/AC:L/AU:S/C:P/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 3.1
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VENDOR: JVNDB-2014-000141
severity: LOW
baseScore: 2.4
vectorString: AV:L/AC:H/AU:S/C:P/I:N/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2014-08646
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b2ad0084-2351-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-75196
severity: LOW
baseScore: 3.2
vectorString: AV:L/AC:L/AU:S/C:P/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 3.1
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08646 // VULHUB: VHN-75196 // JVNDB: JVNDB-2014-000141 // CNNVD: CNNVD-201412-032 // NVD: CVE-2014-7251

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-75196 // JVNDB: JVNDB-2014-000141 // NVD: CVE-2014-7251

THREAT TYPE

local

Trust: 0.9

sources: BID: 71379 // CNNVD: CNNVD-201412-032

TYPE

Input validation

Trust: 0.8

sources: IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201412-032

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-000141

PATCH
title:Yokogawa Electric Corporation websiteurl:http://www.yokogawa.com/dcs/security/ysar/dcs-ysar-index-en.htm
Trust: 0.8
title:Patch for Yokogawa FAST/TOOLS XML External Entity Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/52353
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-08646 // 
            
            
            
            JVNDB: JVNDB-2014-000141

EXTERNAL IDS
db:NVDid:CVE-2014-7251
Trust: 3.6
db:JVNid:JVN54775800
Trust: 2.8
db:JVNDBid:JVNDB-2014-000141
Trust: 2.5
db:BIDid:71379
Trust: 1.6
db:CNNVDid:CNNVD-201412-032
Trust: 0.9
db:CNVDid:CNVD-2014-08646
Trust: 0.8
db:ICS CERTid:ICSA-14-343-01
Trust: 0.8
db:XFid:99018
Trust: 0.6
db:IVDid:B2AD0084-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-75196
Trust: 0.1
sources:
            
            
            IVD: b2ad0084-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-08646 // 
            
            
            
            VULHUB: VHN-75196 // 
            
            
            
            BID: 71379 // 
            
            
            
            JVNDB: JVNDB-2014-000141 // 
            
            
            
            CNNVD: CNNVD-201412-032 // 
            
            
            
            NVD: CVE-2014-7251

REFERENCES
url:http://jvn.jp/en/jp/jvn54775800/index.html
Trust: 2.8
url:http://www.yokogawa.com/dcs/security/ysar/ysar-14-0004e.pdf
Trust: 1.7
url:http://jvndb.jvn.jp/ja/contents/2014/jvndb-2014-000141.html
Trust: 1.7
url:http://www.securityfocus.com/bid/71379
Trust: 1.2
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/99018
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7251
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-14-343-01
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7251
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/99018
Trust: 0.6
url:http://www.yokogawa.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-08646 // 
            
            
            
            VULHUB: VHN-75196 // 
            
            
            
            BID: 71379 // 
            
            
            
            JVNDB: JVNDB-2014-000141 // 
            
            
            
            CNNVD: CNNVD-201412-032 // 
            
            
            
            NVD: CVE-2014-7251

CREDITS
Timur Yunusov, Alexey Osipov and Ilya Karpov of Positive Technologies.
Trust: 0.9
sources:
            
            
            BID: 71379 // 
            
            
            
            CNNVD: CNNVD-201412-032

SOURCES
db:IVDid:b2ad0084-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-08646
db:VULHUBid:VHN-75196
db:BIDid:71379
db:JVNDBid:JVNDB-2014-000141
db:CNNVDid:CNNVD-201412-032
db:NVDid:CVE-2014-7251

LAST UPDATE DATE
2024-11-23T22:42:30.987000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-08646date:2014-12-03T00:00:00
db:VULHUBid:VHN-75196date:2017-09-08T00:00:00
db:BIDid:71379date:2014-11-28T00:00:00
db:JVNDBid:JVNDB-2014-000141date:2014-12-10T00:00:00
db:CNNVDid:CNNVD-201412-032date:2014-12-22T00:00:00
db:NVDid:CVE-2014-7251date:2024-11-21T02:16:36.820

SOURCES RELEASE DATE
db:IVDid:b2ad0084-2351-11e6-abef-000c29c66e3ddate:2014-12-03T00:00:00
db:CNVDid:CNVD-2014-08646date:2014-12-03T00:00:00
db:VULHUBid:VHN-75196date:2014-12-06T00:00:00
db:BIDid:71379date:2014-11-28T00:00:00
db:JVNDBid:JVNDB-2014-000141date:2014-11-28T00:00:00
db:CNNVDid:CNNVD-201412-032date:2014-11-28T00:00:00
db:NVDid:CVE-2014-7251date:2014-12-06T15:59:06.060