ID

VAR-201708-1409


CVE

CVE-2017-9662


TITLE

Fuji Electric Monitouch V-SFT Insecure Configuration Privilege Escalation Vulnerability

Trust: 0.9

sources: IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3 // ZDI: ZDI-17-646

DESCRIPTION

An Improper Privilege Management issue was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. Monitouch V-SFT is installed in a directory with weak access controls by default, which could allow an authenticated attacker with local access to escalate privileges. Fuji Electric Monitouch V-SFT Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows local attackers to escalate their privileges on vulnerable installations of Fuji Electric Monitouch V-SFT. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the configuration of Monitouch V-SFT. An attacker can leverage this vulnerability to execute code in the context of any user of the software. Fuji Electric Monitouch V-SFT is an HMI software

Trust: 3.24

sources: NVD: CVE-2017-9662 // JVNDB: JVNDB-2017-007182 // ZDI: ZDI-17-646 // CNVD: CNVD-2017-22806 // BID: 100268 // IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3 // CNVD: CNVD-2017-22806

AFFECTED PRODUCTS

vendor:fujielectricmodel:monitouch v-sftscope:lteversion:5.4.42.0

Trust: 1.0

vendor:fuji electricmodel:monitouch v-sftscope:ltversion:5.4.43.0

Trust: 0.8

vendor:fuji electricmodel:monitouch v-sftscope: - version: -

Trust: 0.7

vendor:fujimodel:electric monitouch v-sftscope:ltversion:5.4.43.0

Trust: 0.6

vendor:fujielectricmodel:monitouch v-sftscope:eqversion:5.4.42.0

Trust: 0.6

vendor:fujimodel:electric monitouch v-sftscope:eqversion:5.4.42.0

Trust: 0.3

vendor:fujimodel:electric monitouch v-sftscope:neversion:5.4.43.0

Trust: 0.3

vendor:monitouch v sftmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3 // ZDI: ZDI-17-646 // CNVD: CNVD-2017-22806 // BID: 100268 // JVNDB: JVNDB-2017-007182 // CNNVD: CNNVD-201706-575 // NVD: CVE-2017-9662

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9662
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-9662
value: MEDIUM

Trust: 0.8

ZDI: CVE-2017-9662
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2017-22806
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-575
value: MEDIUM

Trust: 0.6

IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2017-9662
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2017-9662
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2017-22806
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9662
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.8
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3 // ZDI: ZDI-17-646 // CNVD: CNVD-2017-22806 // JVNDB: JVNDB-2017-007182 // CNNVD: CNNVD-201706-575 // NVD: CVE-2017-9662

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2017-007182 // NVD: CVE-2017-9662

THREAT TYPE

local

Trust: 0.9

sources: BID: 100268 // CNNVD: CNNVD-201706-575

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201706-575

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007182

PATCH

title:Monitouch V-SFTurl:http://www.hakko-elec.co.jp/site/vsft/

Trust: 0.8

title:Fuji Electric has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04

Trust: 0.7

title:Fuji Electric Monitouch V-SFT Unsafe Configuration Privilege Upgrade Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/100818

Trust: 0.6

title:Fuji Electric Monitouch V-SFT Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99846

Trust: 0.6

sources: ZDI: ZDI-17-646 // CNVD: CNVD-2017-22806 // JVNDB: JVNDB-2017-007182 // CNNVD: CNNVD-201706-575

EXTERNAL IDS

db:NVDid:CVE-2017-9662

Trust: 4.2

db:ICS CERTid:ICSA-17-222-04

Trust: 3.3

db:ZDIid:ZDI-17-646

Trust: 2.6

db:BIDid:100268

Trust: 1.9

db:CNVDid:CNVD-2017-22806

Trust: 0.8

db:CNNVDid:CNNVD-201706-575

Trust: 0.8

db:JVNDBid:JVNDB-2017-007182

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-4021

Trust: 0.7

db:IVDid:2BE44727-F1CD-4BAD-8264-9B7730B4F5E3

Trust: 0.2

sources: IVD: 2be44727-f1cd-4bad-8264-9b7730b4f5e3 // ZDI: ZDI-17-646 // CNVD: CNVD-2017-22806 // BID: 100268 // JVNDB: JVNDB-2017-007182 // CNNVD: CNNVD-201706-575 // NVD: CVE-2017-9662

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-17-222-04

Trust: 4.0

url:http://www.zerodayinitiative.com/advisories/zdi-17-646/

Trust: 1.9

url:http://www.securityfocus.com/bid/100268

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2017-9662

Trust: 1.4

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9662

Trust: 0.8

url:http://www.fujielectric.com/

Trust: 0.3

sources: ZDI: ZDI-17-646 // CNVD: CNVD-2017-22806 // BID: 100268 // JVNDB: JVNDB-2017-007182 // CNNVD: CNNVD-201706-575 // NVD: CVE-2017-9662

CREDITS

Fritz Sands of the Zero Day Initiative

Trust: 1.0

sources: ZDI: ZDI-17-646 // BID: 100268

SOURCES

db:IVDid:2be44727-f1cd-4bad-8264-9b7730b4f5e3
db:ZDIid:ZDI-17-646
db:CNVDid:CNVD-2017-22806
db:BIDid:100268
db:JVNDBid:JVNDB-2017-007182
db:CNNVDid:CNNVD-201706-575
db:NVDid:CVE-2017-9662

LAST UPDATE DATE

2024-08-14T13:56:36.858000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-17-646date:2017-08-10T00:00:00
db:CNVDid:CNVD-2017-22806date:2017-08-25T00:00:00
db:BIDid:100268date:2017-08-10T00:00:00
db:JVNDBid:JVNDB-2017-007182date:2017-09-13T00:00:00
db:CNNVDid:CNNVD-201706-575date:2019-10-23T00:00:00
db:NVDid:CVE-2017-9662date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE

db:IVDid:2be44727-f1cd-4bad-8264-9b7730b4f5e3date:2017-08-25T00:00:00
db:ZDIid:ZDI-17-646date:2017-08-10T00:00:00
db:CNVDid:CNVD-2017-22806date:2017-08-25T00:00:00
db:BIDid:100268date:2017-08-10T00:00:00
db:JVNDBid:JVNDB-2017-007182date:2017-09-13T00:00:00
db:CNNVDid:CNNVD-201706-575date:2017-06-15T00:00:00
db:NVDid:CVE-2017-9662date:2017-08-14T16:29:00.413