Sign-up

ID

VAR-201806-0576


CVE

CVE-2018-10617


TITLE

Delta Electronics Delta Industrial Automation DOPSoft Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-006533

DESCRIPTION

Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application to crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of fields in DPA files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process. Delta Electronics Delta Industrial Automation DOPSoft is a set of human interface applications from Delta Electronics. A remote code-execution vulnerability 2. A stack-based buffer-overflow vulnerability 3. Failed attacks will cause denial of service conditions. DOPSoft 4.00.04 and prior are vulnerable

Trust: 3.24

sources: NVD: CVE-2018-10617 // JVNDB: JVNDB-2018-006533 // ZDI: ZDI-18-536 // CNVD: CNVD-2018-12140 // BID: 104375 // IVD: e3007681-39ab-11e9-9ce6-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e3007681-39ab-11e9-9ce6-000c29342cb1 // CNVD: CNVD-2018-12140

AFFECTED PRODUCTS

vendor:deltawwmodel:delta industrial automation dopsoftscope:lteversion:4.00.04

Trust: 1.0

vendor:deltamodel:industrial automation dopsoftscope:lteversion:4.00.04

Trust: 0.8

vendor:delta industrial automationmodel:dopsoftscope: - version: -

Trust: 0.7

vendor:deltamodel:electronics delta industrial automation dopsoftscope:lteversion:<=4.00.04

Trust: 0.6

vendor:deltawwmodel:delta industrial automation dopsoftscope:eqversion:4.00.04

Trust: 0.6

vendor:deltamodel:electronics inc dopsoftscope:eqversion:4.0.4

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:eqversion:4.0.1

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:eqversion:2.0.5

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:eqversion:2.00.04.09

Trust: 0.3

vendor:deltamodel:electronics inc dopsoftscope:neversion:4.00.04.22

Trust: 0.3

vendor:delta industrial automation dopsoftmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e3007681-39ab-11e9-9ce6-000c29342cb1 // ZDI: ZDI-18-536 // CNVD: CNVD-2018-12140 // BID: 104375 // JVNDB: JVNDB-2018-006533 // CNNVD: CNNVD-201806-810 // NVD: CVE-2018-10617

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10617
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-10617
value: CRITICAL

Trust: 0.8

ZDI: CVE-2018-10617
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2018-12140
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201806-810
value: CRITICAL

Trust: 0.6

IVD: e3007681-39ab-11e9-9ce6-000c29342cb1
value: CRITICAL

Trust: 0.2

nvd@nist.gov: CVE-2018-10617
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2018-10617
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2018-12140
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e3007681-39ab-11e9-9ce6-000c29342cb1
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-10617
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e3007681-39ab-11e9-9ce6-000c29342cb1 // ZDI: ZDI-18-536 // CNVD: CNVD-2018-12140 // JVNDB: JVNDB-2018-006533 // CNNVD: CNNVD-201806-810 // NVD: CVE-2018-10617

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

problemtype:CWE-122

Trust: 1.0

sources: JVNDB: JVNDB-2018-006533 // NVD: CVE-2018-10617

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-810

TYPE

Buffer error

Trust: 0.8

sources: IVD: e3007681-39ab-11e9-9ce6-000c29342cb1 // CNNVD: CNNVD-201806-810

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006533

PATCH
title:Top Pageurl:http://www.deltaww.com/
Trust: 0.8
title:Delta Industrial Automation has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-18-151-01
Trust: 0.7
title:Patch for Delta Industrial Automation DOPSoft Heap Buffer Overflow Vulnerability (CNVD-2018-12140)url:https://www.cnvd.org.cn/patchInfo/show/132875
Trust: 0.6
title:Delta Industrial Automation DOPSoft Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81328
Trust: 0.6
sources:
            
            
            ZDI: ZDI-18-536 // 
            
            
            
            CNVD: CNVD-2018-12140 // 
            
            
            
            JVNDB: JVNDB-2018-006533 // 
            
            
            
            CNNVD: CNNVD-201806-810

EXTERNAL IDS
db:NVDid:CVE-2018-10617
Trust: 4.2
db:ICS CERTid:ICSA-18-151-01
Trust: 3.3
db:BIDid:104375
Trust: 1.9
db:CNVDid:CNVD-2018-12140
Trust: 0.8
db:CNNVDid:CNNVD-201806-810
Trust: 0.8
db:JVNDBid:JVNDB-2018-006533
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5974
Trust: 0.7
db:ZDIid:ZDI-18-536
Trust: 0.7
db:IVDid:E3007681-39AB-11E9-9CE6-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e3007681-39ab-11e9-9ce6-000c29342cb1 // 
            
            
            
            ZDI: ZDI-18-536 // 
            
            
            
            CNVD: CNVD-2018-12140 // 
            
            
            
            BID: 104375 // 
            
            
            
            JVNDB: JVNDB-2018-006533 // 
            
            
            
            CNNVD: CNNVD-201806-810 // 
            
            
            
            NVD: CVE-2018-10617

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-151-01
Trust: 4.0
url:http://www.securityfocus.com/bid/104375
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10617
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10617
Trust: 0.8
url:http://www.deltaww.com/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-536 // 
            
            
            
            CNVD: CNVD-2018-12140 // 
            
            
            
            BID: 104375 // 
            
            
            
            JVNDB: JVNDB-2018-006533 // 
            
            
            
            CNNVD: CNNVD-201806-810 // 
            
            
            
            NVD: CVE-2018-10617

CREDITS
B0nd @garagehackers
Trust: 0.9
sources:
            
            
            BID: 104375 // 
            
            
            
            CNNVD: CNNVD-201806-810

SOURCES
db:IVDid:e3007681-39ab-11e9-9ce6-000c29342cb1
db:ZDIid:ZDI-18-536
db:CNVDid:CNVD-2018-12140
db:BIDid:104375
db:JVNDBid:JVNDB-2018-006533
db:CNNVDid:CNNVD-201806-810
db:NVDid:CVE-2018-10617

LAST UPDATE DATE
2024-11-23T22:41:49.999000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-536date:2018-06-05T00:00:00
db:CNVDid:CNVD-2018-12140date:2018-11-05T00:00:00
db:BIDid:104375date:2018-05-31T00:00:00
db:JVNDBid:JVNDB-2018-006533date:2018-08-24T00:00:00
db:CNNVDid:CNNVD-201806-810date:2019-10-17T00:00:00
db:NVDid:CVE-2018-10617date:2024-11-21T03:41:40.460

SOURCES RELEASE DATE
db:IVDid:e3007681-39ab-11e9-9ce6-000c29342cb1date:2018-06-27T00:00:00
db:ZDIid:ZDI-18-536date:2018-06-05T00:00:00
db:CNVDid:CNVD-2018-12140date:2018-06-27T00:00:00
db:BIDid:104375date:2018-05-31T00:00:00
db:JVNDBid:JVNDB-2018-006533date:2018-08-24T00:00:00
db:CNNVDid:CNNVD-201806-810date:2018-06-01T00:00:00
db:NVDid:CVE-2018-10617date:2018-06-18T19:29:00.217