Sign-up

ID

VAR-201806-0552


CVE

CVE-2018-10621


TITLE

Delta Industrial Automation DOPSoft Buffer Overflow Vulnerability

Trust: 0.8

sources: IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1 // CNVD: CNVD-2018-12139

DESCRIPTION

Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length stack buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application to crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of fields in DPA files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process. Delta Electronics Delta Industrial Automation DOPSoft is a set of human interface applications from Delta Electronics. A remote code-execution vulnerability 2. A stack-based buffer-overflow vulnerability 3. Failed attacks will cause denial of service conditions. DOPSoft 4.00.04 and prior are vulnerable

Trust: 3.24

sources: NVD: CVE-2018-10621 // JVNDB: JVNDB-2018-006532 // ZDI: ZDI-18-538 // CNVD: CNVD-2018-12139 // BID: 104375 // IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1 // CNVD: CNVD-2018-12139

AFFECTED PRODUCTS

vendor:deltawwmodel:delta industrial automation dopsoftscope:lteversion:4.00.04

Trust: 1.0

vendor:deltamodel:industrial automation dopsoftscope:lteversion:4.00.04

Trust: 0.8

vendor:delta industrial automationmodel:dopsoftscope: - version: -

Trust: 0.7

vendor:deltamodel:electronics delta industrial automation dopsoftscope:lteversion:<=4.00.04

Trust: 0.6

vendor:deltawwmodel:delta industrial automation dopsoftscope:eqversion:4.00.04

Trust: 0.6

vendor:deltamodel:electronics inc dopsoftscope:eqversion:4.0.4

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:eqversion:4.0.1

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:eqversion:2.0.5

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:eqversion:2.00.04.09

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:neversion:4.00.04.22

Trust: 0.3

vendor:delta industrial automation dopsoftmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1 // ZDI: ZDI-18-538 // CNVD: CNVD-2018-12139 // BID: 104375 // JVNDB: JVNDB-2018-006532 // CNNVD: CNNVD-201806-811 // NVD: CVE-2018-10621

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10621
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-10621
value: CRITICAL

Trust: 0.8

ZDI: CVE-2018-10621
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2018-12139
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201806-811
value: CRITICAL

Trust: 0.6

IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1
value: CRITICAL

Trust: 0.2

nvd@nist.gov: CVE-2018-10621
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2018-10621
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2018-12139
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-10621
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1 // ZDI: ZDI-18-538 // CNVD: CNVD-2018-12139 // JVNDB: JVNDB-2018-006532 // CNNVD: CNNVD-201806-811 // NVD: CVE-2018-10621

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

problemtype:CWE-121

Trust: 1.0

sources: JVNDB: JVNDB-2018-006532 // NVD: CVE-2018-10621

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-811

TYPE

Buffer error

Trust: 0.8

sources: IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1 // CNNVD: CNNVD-201806-811

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006532

PATCH
title:Top Pageurl:http://www.deltaww.com/
Trust: 0.8
title:Delta Industrial Automation has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-18-151-01
Trust: 0.7
title:Delta Industrial Automation DOPSoft Buffer Overflow Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/132873
Trust: 0.6
title:Delta Industrial Automation DOPSoft Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81329
Trust: 0.6
sources:
            
            
            ZDI: ZDI-18-538 // 
            
            
            
            CNVD: CNVD-2018-12139 // 
            
            
            
            JVNDB: JVNDB-2018-006532 // 
            
            
            
            CNNVD: CNNVD-201806-811

EXTERNAL IDS
db:NVDid:CVE-2018-10621
Trust: 4.2
db:ICS CERTid:ICSA-18-151-01
Trust: 3.3
db:BIDid:104375
Trust: 1.9
db:CNVDid:CNVD-2018-12139
Trust: 0.8
db:CNNVDid:CNNVD-201806-811
Trust: 0.8
db:JVNDBid:JVNDB-2018-006532
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-6057
Trust: 0.7
db:ZDIid:ZDI-18-538
Trust: 0.7
db:IVDid:E2FF8C21-39AB-11E9-A399-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2ff8c21-39ab-11e9-a399-000c29342cb1 // 
            
            
            
            ZDI: ZDI-18-538 // 
            
            
            
            CNVD: CNVD-2018-12139 // 
            
            
            
            BID: 104375 // 
            
            
            
            JVNDB: JVNDB-2018-006532 // 
            
            
            
            CNNVD: CNNVD-201806-811 // 
            
            
            
            NVD: CVE-2018-10621

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-151-01
Trust: 4.0
url:http://www.securityfocus.com/bid/104375
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10621
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10621
Trust: 0.8
url:http://www.deltaww.com/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-538 // 
            
            
            
            CNVD: CNVD-2018-12139 // 
            
            
            
            BID: 104375 // 
            
            
            
            JVNDB: JVNDB-2018-006532 // 
            
            
            
            CNNVD: CNNVD-201806-811 // 
            
            
            
            NVD: CVE-2018-10621

CREDITS
B0nd @garagehackers
Trust: 0.9
sources:
            
            
            BID: 104375 // 
            
            
            
            CNNVD: CNNVD-201806-811

SOURCES
db:IVDid:e2ff8c21-39ab-11e9-a399-000c29342cb1
db:ZDIid:ZDI-18-538
db:CNVDid:CNVD-2018-12139
db:BIDid:104375
db:JVNDBid:JVNDB-2018-006532
db:CNNVDid:CNNVD-201806-811
db:NVDid:CVE-2018-10621

LAST UPDATE DATE
2024-11-23T22:41:49.910000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-538date:2018-06-05T00:00:00
db:CNVDid:CNVD-2018-12139date:2018-11-05T00:00:00
db:BIDid:104375date:2018-05-31T00:00:00
db:JVNDBid:JVNDB-2018-006532date:2018-08-24T00:00:00
db:CNNVDid:CNNVD-201806-811date:2019-10-17T00:00:00
db:NVDid:CVE-2018-10621date:2024-11-21T03:41:40.947

SOURCES RELEASE DATE
db:IVDid:e2ff8c21-39ab-11e9-a399-000c29342cb1date:2018-06-27T00:00:00
db:ZDIid:ZDI-18-538date:2018-06-05T00:00:00
db:CNVDid:CNVD-2018-12139date:2018-06-27T00:00:00
db:BIDid:104375date:2018-05-31T00:00:00
db:JVNDBid:JVNDB-2018-006532date:2018-08-24T00:00:00
db:CNNVDid:CNNVD-201806-811date:2018-06-01T00:00:00
db:NVDid:CVE-2018-10621date:2018-06-18T19:29:00.247