ID

VAR-201708-1407


CVE

CVE-2017-9660


TITLE

Fuji Electric Monitouch V-SFT Buffer error vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577

DESCRIPTION

A Heap-Based Buffer Overflow was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. A heap-based buffer overflow vulnerability has been identified, which may cause a crash or allow remote code execution. Fuji Electric Monitouch V-SFT Contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within parsing of a V8 project file. The issue lies in the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. Fuji Electric Monitouch V-SFT is an HMI software. Failed exploit attempts will result in denial-of-service conditions

Trust: 3.24

sources: NVD: CVE-2017-9660 // JVNDB: JVNDB-2017-007180 // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // BID: 100265 // IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // CNVD: CNVD-2017-22805

AFFECTED PRODUCTS

vendor:fujielectricmodel:monitouch v-sftscope:lteversion:5.4.42.0

Trust: 1.0

vendor:fuji electricmodel:monitouch v-sftscope:ltversion:5.4.43.0

Trust: 0.8

vendor:fuji electricmodel:monitouch v-sftscope: - version: -

Trust: 0.7

vendor:fujimodel:electric monitouch v-sftscope:ltversion:5.4.43.0

Trust: 0.6

vendor:fujielectricmodel:monitouch v-sftscope:eqversion:5.4.42.0

Trust: 0.6

vendor:fujimodel:electric monitouch v-sftscope:eqversion:5.4.42.0

Trust: 0.3

vendor:fujimodel:electric monitouch v-sftscope:neversion:5.4.43.0

Trust: 0.3

vendor:monitouch v sftmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // BID: 100265 // JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577 // NVD: CVE-2017-9660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9660
value: HIGH

Trust: 1.0

NVD: CVE-2017-9660
value: HIGH

Trust: 0.8

ZDI: CVE-2017-9660
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2017-22805
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-577
value: MEDIUM

Trust: 0.6

IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2017-9660
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

CNVD: CNVD-2017-22805
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9660
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577 // NVD: CVE-2017-9660

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2017-007180 // NVD: CVE-2017-9660

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-577

TYPE

Buffer overflow

Trust: 0.8

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // CNNVD: CNNVD-201706-577

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007180

PATCH

title:Monitouch V-SFTurl:http://www.hakko-elec.co.jp/site/vsft/

Trust: 0.8

title:Fuji Electric has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04

Trust: 0.7

title:Patch for Fuji Electric Monitouch V-SFT Project File Parsing Buffer Buffer Overflow Vulnerability (CNVD-2017-22805)url:https://www.cnvd.org.cn/patchInfo/show/100820

Trust: 0.6

sources: ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // JVNDB: JVNDB-2017-007180

EXTERNAL IDS

db:NVDid:CVE-2017-9660

Trust: 4.2

db:ICS CERTid:ICSA-17-222-04

Trust: 3.3

db:ZDIid:ZDI-17-645

Trust: 2.6

db:BIDid:100265

Trust: 1.3

db:CNVDid:CNVD-2017-22805

Trust: 0.8

db:CNNVDid:CNNVD-201706-577

Trust: 0.8

db:JVNDBid:JVNDB-2017-007180

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-3994

Trust: 0.7

db:ZDIid:ZDI-17-643

Trust: 0.3

db:ZDIid:ZDI-17-644

Trust: 0.3

db:IVDid:FE17C188-7216-4DD6-AA4D-FFAE1D06D92B

Trust: 0.2

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // BID: 100265 // JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577 // NVD: CVE-2017-9660

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-17-222-04

Trust: 4.0

url:http://www.zerodayinitiative.com/advisories/zdi-17-645/

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2017-9660

Trust: 1.4

url:http://www.securityfocus.com/bid/100265

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9660

Trust: 0.8

url:http://www.fujielectric.com/

Trust: 0.3

url:http://www.zerodayinitiative.com/advisories/zdi-17-643/

Trust: 0.3

url:http://www.zerodayinitiative.com/advisories/zdi-17-644/

Trust: 0.3

url:www.zerodayinitiative.com/advisories/zdi-17-645

Trust: 0.3

sources: ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // BID: 100265 // JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577 // NVD: CVE-2017-9660

CREDITS

Ariele Caltabiano (kimiya)

Trust: 0.7

sources: ZDI: ZDI-17-645

SOURCES

db:IVDid:fe17c188-7216-4dd6-aa4d-ffae1d06d92b
db:ZDIid:ZDI-17-645
db:CNVDid:CNVD-2017-22805
db:BIDid:100265
db:JVNDBid:JVNDB-2017-007180
db:CNNVDid:CNNVD-201706-577
db:NVDid:CVE-2017-9660

LAST UPDATE DATE

2024-08-14T13:56:36.769000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-17-645date:2017-08-10T00:00:00
db:CNVDid:CNVD-2017-22805date:2017-08-25T00:00:00
db:BIDid:100265date:2017-08-10T00:00:00
db:JVNDBid:JVNDB-2017-007180date:2017-09-13T00:00:00
db:CNNVDid:CNNVD-201706-577date:2018-01-02T00:00:00
db:NVDid:CVE-2017-9660date:2017-08-24T14:17:11.887

SOURCES RELEASE DATE

db:IVDid:fe17c188-7216-4dd6-aa4d-ffae1d06d92bdate:2017-08-25T00:00:00
db:ZDIid:ZDI-17-645date:2017-08-10T00:00:00
db:CNVDid:CNVD-2017-22805date:2017-08-25T00:00:00
db:BIDid:100265date:2017-08-10T00:00:00
db:JVNDBid:JVNDB-2017-007180date:2017-09-13T00:00:00
db:CNNVDid:CNNVD-201706-577date:2017-06-15T00:00:00
db:NVDid:CVE-2017-9660date:2017-08-14T16:29:00.350