Sign-up

ID

VAR-201708-1407


CVE

CVE-2017-9660


TITLE

Fuji Electric Monitouch V-SFT Buffer error vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577

DESCRIPTION

A Heap-Based Buffer Overflow was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. A heap-based buffer overflow vulnerability has been identified, which may cause a crash or allow remote code execution. Fuji Electric Monitouch V-SFT Contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within parsing of a V8 project file. The issue lies in the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. Fuji Electric Monitouch V-SFT is an HMI software. Failed exploit attempts will result in denial-of-service conditions

Trust: 3.24

sources: NVD: CVE-2017-9660 // JVNDB: JVNDB-2017-007180 // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // BID: 100265 // IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // CNVD: CNVD-2017-22805

AFFECTED PRODUCTS

vendor:fujielectricmodel:monitouch v-sftscope:lteversion:5.4.42.0

Trust: 1.0

vendor:fuji electricmodel:monitouch v-sftscope:ltversion:5.4.43.0

Trust: 0.8

vendor:fuji electricmodel:monitouch v-sftscope: - version: -

Trust: 0.7

vendor:fujimodel:electric monitouch v-sftscope:ltversion:5.4.43.0

Trust: 0.6

vendor:fujielectricmodel:monitouch v-sftscope:eqversion:5.4.42.0

Trust: 0.6

vendor:fujimodel:electric monitouch v-sftscope:eqversion:5.4.42.0

Trust: 0.3

vendor:fujimodel:electric monitouch v-sftscope:neversion:5.4.43.0

Trust: 0.3

vendor:monitouch v sftmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // BID: 100265 // JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577 // NVD: CVE-2017-9660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9660
value: HIGH

Trust: 1.0

NVD: CVE-2017-9660
value: HIGH

Trust: 0.8

ZDI: CVE-2017-9660
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2017-22805
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-577
value: MEDIUM

Trust: 0.6

IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2017-9660
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

CNVD: CNVD-2017-22805
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9660
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // ZDI: ZDI-17-645 // CNVD: CNVD-2017-22805 // JVNDB: JVNDB-2017-007180 // CNNVD: CNNVD-201706-577 // NVD: CVE-2017-9660

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2017-007180 // NVD: CVE-2017-9660

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-577

TYPE

Buffer overflow

Trust: 0.8

sources: IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // CNNVD: CNNVD-201706-577

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007180

PATCH
title:Monitouch V-SFTurl:http://www.hakko-elec.co.jp/site/vsft/
Trust: 0.8
title:Fuji Electric has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04
Trust: 0.7
title:Patch for Fuji Electric Monitouch V-SFT Project File Parsing Buffer Buffer Overflow Vulnerability (CNVD-2017-22805)url:https://www.cnvd.org.cn/patchInfo/show/100820
Trust: 0.6
sources:
            
            
            ZDI: ZDI-17-645 // 
            
            
            
            CNVD: CNVD-2017-22805 // 
            
            
            
            JVNDB: JVNDB-2017-007180

EXTERNAL IDS
db:NVDid:CVE-2017-9660
Trust: 4.2
db:ICS CERTid:ICSA-17-222-04
Trust: 3.3
db:ZDIid:ZDI-17-645
Trust: 2.6
db:BIDid:100265
Trust: 1.3
db:CNVDid:CNVD-2017-22805
Trust: 0.8
db:CNNVDid:CNNVD-201706-577
Trust: 0.8
db:JVNDBid:JVNDB-2017-007180
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3994
Trust: 0.7
db:ZDIid:ZDI-17-643
Trust: 0.3
db:ZDIid:ZDI-17-644
Trust: 0.3
db:IVDid:FE17C188-7216-4DD6-AA4D-FFAE1D06D92B
Trust: 0.2
sources:
            
            
            IVD: fe17c188-7216-4dd6-aa4d-ffae1d06d92b // 
            
            
            
            ZDI: ZDI-17-645 // 
            
            
            
            CNVD: CNVD-2017-22805 // 
            
            
            
            BID: 100265 // 
            
            
            
            JVNDB: JVNDB-2017-007180 // 
            
            
            
            CNNVD: CNNVD-201706-577 // 
            
            
            
            NVD: CVE-2017-9660

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-222-04
Trust: 4.0
url:http://www.zerodayinitiative.com/advisories/zdi-17-645/
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2017-9660
Trust: 1.4
url:http://www.securityfocus.com/bid/100265
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9660
Trust: 0.8
url:http://www.fujielectric.com/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-17-643/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-17-644/
Trust: 0.3
url:www.zerodayinitiative.com/advisories/zdi-17-645
Trust: 0.3
sources:
            
            
            ZDI: ZDI-17-645 // 
            
            
            
            CNVD: CNVD-2017-22805 // 
            
            
            
            BID: 100265 // 
            
            
            
            JVNDB: JVNDB-2017-007180 // 
            
            
            
            CNNVD: CNNVD-201706-577 // 
            
            
            
            NVD: CVE-2017-9660

CREDITS
Ariele Caltabiano (kimiya)
Trust: 0.7
sources:
            
            
            ZDI: ZDI-17-645

SOURCES
db:IVDid:fe17c188-7216-4dd6-aa4d-ffae1d06d92b
db:ZDIid:ZDI-17-645
db:CNVDid:CNVD-2017-22805
db:BIDid:100265
db:JVNDBid:JVNDB-2017-007180
db:CNNVDid:CNNVD-201706-577
db:NVDid:CVE-2017-9660

LAST UPDATE DATE
2024-08-14T13:56:36.769000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-17-645date:2017-08-10T00:00:00
db:CNVDid:CNVD-2017-22805date:2017-08-25T00:00:00
db:BIDid:100265date:2017-08-10T00:00:00
db:JVNDBid:JVNDB-2017-007180date:2017-09-13T00:00:00
db:CNNVDid:CNNVD-201706-577date:2018-01-02T00:00:00
db:NVDid:CVE-2017-9660date:2017-08-24T14:17:11.887

SOURCES RELEASE DATE
db:IVDid:fe17c188-7216-4dd6-aa4d-ffae1d06d92bdate:2017-08-25T00:00:00
db:ZDIid:ZDI-17-645date:2017-08-10T00:00:00
db:CNVDid:CNVD-2017-22805date:2017-08-25T00:00:00
db:BIDid:100265date:2017-08-10T00:00:00
db:JVNDBid:JVNDB-2017-007180date:2017-09-13T00:00:00
db:CNNVDid:CNNVD-201706-577date:2017-06-15T00:00:00
db:NVDid:CVE-2017-9660date:2017-08-14T16:29:00.350