Details of VAR-201804-0424

ID

VAR-201804-0424

CVE

CVE-2017-14010

TITLE

SpiderControl MicroBrowser Arbitrary code execution vulnerability

Trust: 0.8

sources: IVD: 160c362e-5959-49cd-be9c-7f1698471f70 // CNVD: CNVD-2017-31144

DESCRIPTION

In SpiderControl MicroBrowser Windows XP, Vista 7, 8 and 10, Versions 1.6.30.144 and prior, an uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. SpiderControl MicroBrowser Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MicroBrowser is a touch screen operating system. SpiderControl MicroBrowser is prone to a remote code-execution vulnerability. SpiderControl MicroBrowser 1.6.30.144 and prior versions are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-14010 // JVNDB: JVNDB-2017-013397 // CNVD: CNVD-2017-31144 // BID: 101505 // IVD: 160c362e-5959-49cd-be9c-7f1698471f70

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 160c362e-5959-49cd-be9c-7f1698471f70 // CNVD: CNVD-2017-31144

AFFECTED PRODUCTS

vendor:	spidercontrol	model:	scada microbrowser	scope:	lte	version:	1.6.30.144	Trust: 1.0
vendor:	ininet	model:	spidercontrol scada microbrowser	scope:	lte	version:	1.6.30.144	Trust: 0.8
vendor:	spidercontrol	model:	microbrowser windows xp	scope:	lte	version:	<=1.6.30.144	Trust: 0.6
vendor:	spidercontrol	model:	vista	scope:	eq	version:	7<=1.6.30.144	Trust: 0.6
vendor:	spidercontrol	model:	vista	scope:	eq	version:	8<=1.6.30.144	Trust: 0.6
vendor:	spidercontrol	model:	vista	scope:	eq	version:	10<=1.6.30.144	Trust: 0.6
vendor:	spidercontrol	model:	scada microbrowser	scope:	eq	version:	1.6.30.144	Trust: 0.6
vendor:	spidercontrol	model:	microbrowser	scope:	eq	version:	1.6.30.144	Trust: 0.3
vendor:	spidercontrol	model:	microbrowser	scope:	ne	version:	1.6.30.148	Trust: 0.3
vendor:	scada microbrowser	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 160c362e-5959-49cd-be9c-7f1698471f70 // CNVD: CNVD-2017-31144 // BID: 101505 // JVNDB: JVNDB-2017-013397 // CNNVD: CNNVD-201710-1056 // NVD: CVE-2017-14010

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-14010
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-14010
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-31144
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201710-1056
value:	HIGH
Trust: 0.6
IVD:	160c362e-5959-49cd-be9c-7f1698471f70
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2017-14010
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-31144
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	160c362e-5959-49cd-be9c-7f1698471f70
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-14010
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 160c362e-5959-49cd-be9c-7f1698471f70 // CNVD: CNVD-2017-31144 // JVNDB: JVNDB-2017-013397 // CNNVD: CNNVD-201710-1056 // NVD: CVE-2017-14010

PROBLEMTYPE DATA

problemtype:

CWE-427

Trust: 1.8

sources: JVNDB: JVNDB-2017-013397 // NVD: CVE-2017-14010

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201710-1056

TYPE

Code problem

Trust: 0.8

sources: IVD: 160c362e-5959-49cd-be9c-7f1698471f70 // CNNVD: CNNVD-201710-1056

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-013397

PATCH

title:	Download Area	url:	http://spidercontrol.net/download/downloadarea/?lang=en	Trust: 0.8
title:	Patch for SpiderControl MicroBrowser arbitrary code execution vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/104382	Trust: 0.6
title:	iniNet SpiderControl MicroBrowser Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75927	Trust: 0.6

sources: CNVD: CNVD-2017-31144 // JVNDB: JVNDB-2017-013397 // CNNVD: CNNVD-201710-1056

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14010	Trust: 3.5
db:	ICS CERT	id:	ICSA-17-292-01	Trust: 3.3
db:	BID	id:	101505	Trust: 1.9
db:	CNVD	id:	CNVD-2017-31144	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-1056	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-013397	Trust: 0.8
db:	IVD	id:	160C362E-5959-49CD-BE9C-7F1698471F70	Trust: 0.2

sources: IVD: 160c362e-5959-49cd-be9c-7f1698471f70 // CNVD: CNVD-2017-31144 // BID: 101505 // JVNDB: JVNDB-2017-013397 // CNNVD: CNNVD-201710-1056 // NVD: CVE-2017-14010

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-292-01	Trust: 3.3
url:	http://spidercontrol.net/download/downloadarea/?lang=en	Trust: 1.9
url:	http://www.securityfocus.com/bid/101505	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14010	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14010	Trust: 0.8
url:	http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html	Trust: 0.3
url:	http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx	Trust: 0.3

sources: CNVD: CNVD-2017-31144 // BID: 101505 // JVNDB: JVNDB-2017-013397 // CNNVD: CNNVD-201710-1056 // NVD: CVE-2017-14010

CREDITS

Karn Ganeshen

Trust: 0.9

sources: BID: 101505 // CNNVD: CNNVD-201710-1056

SOURCES

db:	IVD	id:	160c362e-5959-49cd-be9c-7f1698471f70
db:	CNVD	id:	CNVD-2017-31144
db:	BID	id:	101505
db:	JVNDB	id:	JVNDB-2017-013397
db:	CNNVD	id:	CNNVD-201710-1056
db:	NVD	id:	CVE-2017-14010

LAST UPDATE DATE

2024-11-23T22:22:07.465000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-31144	date:	2017-10-23T00:00:00
db:	BID	id:	101505	date:	2017-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-013397	date:	2018-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201710-1056	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-14010	date:	2024-11-21T03:11:57.553

SOURCES RELEASE DATE

db:	IVD	id:	160c362e-5959-49cd-be9c-7f1698471f70	date:	2017-10-23T00:00:00
db:	CNVD	id:	CNVD-2017-31144	date:	2017-10-23T00:00:00
db:	BID	id:	101505	date:	2017-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-013397	date:	2018-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201710-1056	date:	2017-10-27T00:00:00
db:	NVD	id:	CVE-2017-14010	date:	2018-04-26T19:29:00.370