Details of VAR-201811-0100

ID

VAR-201811-0100

CVE

CVE-2018-17907

TITLE

OMRON CX-Supervisor Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2018-008493

DESCRIPTION

When processing project files in Omron CX-Supervisor Versions 3.4.1.0 and prior and tampering with the value of an offset, an attacker can force the application to read a value outside of an array. Provided by OMRON Corporation CX-Supervisor Contains the following multiple vulnerabilities: * * Buffer overflow (CWE-119) - CVE-2018-17905 Processing a specially crafted project file causes memory corruption * * Read out of bounds (CWE-125) - CVE-2018-17907  Reading out-of-array values by processing a specially crafted project file * * Use of freed memory (Use-after-free) (CWE-416) - CVE-2018-17909 Processing arbitrary crafted project files results in arbitrary code execution * * Bad type conversion or cast (Incorrect Type Conversion or Cast) (CWE-704) - CVE-2018-17913 Processing arbitrary crafted project files results in arbitrary code executionA remote attacker could execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of SCS files. By manipulating a document's elements an attacker can trigger a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. The Omron CX-Supervisor is a visual machine controller from Omron, Japan. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. Multiple remote code-execution vulnerabilities 2. A memory-corruption vulnerability 3

Trust: 4.59

sources: NVD: CVE-2018-17907 // JVNDB: JVNDB-2018-008493 // ZDI: ZDI-18-1285 // ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288 // CNVD: CNVD-2018-21479 // BID: 105691 // IVD: e2fe53a1-39ab-11e9-af12-000c29342cb1 // VULHUB: VHN-128413

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2fe53a1-39ab-11e9-af12-000c29342cb1 // CNVD: CNVD-2018-21479

AFFECTED PRODUCTS

vendor:	omron	model:	cx-supervisor	scope:	-	version:	-	Trust: 2.1
vendor:	omron	model:	cx-supervisor	scope:	lte	version:	3.4.1.0	Trust: 1.0
vendor:	omron	model:	cx-supervisor	scope:	lte	version:	version 3.4.1	Trust: 0.8
vendor:	omron	model:	cx-supervisor	scope:	lte	version:	<=3.4.1.0	Trust: 0.6
vendor:	omron	model:	cx-supervisor	scope:	eq	version:	3.4.1.0	Trust: 0.6
vendor:	omron	model:	cx-supervisor	scope:	eq	version:	3.4.1	Trust: 0.3
vendor:	omron	model:	cx-supervisor	scope:	ne	version:	3.4.2	Trust: 0.3
vendor:	cx supervisor	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2fe53a1-39ab-11e9-af12-000c29342cb1 // ZDI: ZDI-18-1285 // ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288 // CNVD: CNVD-2018-21479 // BID: 105691 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1024 // NVD: CVE-2018-17907

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2018-17907
value:	MEDIUM
Trust: 2.1
JPCERT/CC:	JVNDB-2018-008493
value:	MEDIUM
Trust: 1.6
nvd@nist.gov:	CVE-2018-17907
value:	LOW
Trust: 1.0
JPCERT/CC:	JVNDB-2018-008493
value:	HIGH
Trust: 0.8
JPCERT/CC:	JVNDB-2018-008493
value:	LOW
Trust: 0.8
CNVD:	CNVD-2018-21479
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201810-1024
value:	LOW
Trust: 0.6
IVD:	e2fe53a1-39ab-11e9-af12-000c29342cb1
value:	LOW
Trust: 0.2
VULHUB:	VHN-128413
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-17907
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.4
JPCERT/CC:	JVNDB-2018-008493
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.6
JPCERT/CC:	JVNDB-2018-008493
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
JPCERT/CC:	JVNDB-2018-008493
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
ZDI:	CVE-2018-17907
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
CNVD:	CNVD-2018-21479
severity:	LOW
baseScore:	1.2
vectorString:	AV:L/AC:H/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fe53a1-39ab-11e9-af12-000c29342cb1
severity:	LOW
baseScore:	1.2
vectorString:	AV:L/AC:H/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-128413
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

JPCERT/CC:	JVNDB-2018-008493
baseSeverity:	MEDIUM
baseScore:	4.5
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 1.6
nvd@nist.gov:	CVE-2018-17907
baseSeverity:	LOW
baseScore:	3.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	1.4
version:	3.0
Trust: 1.0
JPCERT/CC:	JVNDB-2018-008493
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
JPCERT/CC:	JVNDB-2018-008493
baseSeverity:	LOW
baseScore:	2.5
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e2fe53a1-39ab-11e9-af12-000c29342cb1 // ZDI: ZDI-18-1285 // ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288 // CNVD: CNVD-2018-21479 // VULHUB: VHN-128413 // JVNDB: JVNDB-2018-008493 // JVNDB: JVNDB-2018-008493 // JVNDB: JVNDB-2018-008493 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1024 // NVD: CVE-2018-17907

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.1
problemtype:	CWE-119	Trust: 1.0

sources: VULHUB: VHN-128413 // NVD: CVE-2018-17907

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1024

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201810-1024

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008493

PATCH

title:	OMRON has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-18-290-01	Trust: 2.1
title:	Release Notes For CX-Supervisor 3.4.2	url:	https://www.myomron.com/index.php?article=1709&action=kb	Trust: 0.8
title:	Omron CX-Supervisor patch for out-of-bounds read vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/142863	Trust: 0.6
title:	Omron CX-Supervisor Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86088	Trust: 0.6

sources: ZDI: ZDI-18-1285 // ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288 // CNVD: CNVD-2018-21479 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1024

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17907	Trust: 5.7
db:	ICS CERT	id:	ICSA-18-290-01	Trust: 3.4
db:	BID	id:	105691	Trust: 2.0
db:	CNNVD	id:	CNNVD-201810-1024	Trust: 0.9
db:	CNVD	id:	CNVD-2018-21479	Trust: 0.8
db:	JVN	id:	JVNVU99213938	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-008493	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-6419	Trust: 0.7
db:	ZDI	id:	ZDI-18-1285	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6427	Trust: 0.7
db:	ZDI	id:	ZDI-18-1280	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6404	Trust: 0.7
db:	ZDI	id:	ZDI-18-1288	Trust: 0.7
db:	IVD	id:	E2FE53A1-39AB-11E9-AF12-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-128413	Trust: 0.1

sources: IVD: e2fe53a1-39ab-11e9-af12-000c29342cb1 // ZDI: ZDI-18-1285 // ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288 // CNVD: CNVD-2018-21479 // VULHUB: VHN-128413 // BID: 105691 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1024 // NVD: CVE-2018-17907

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-290-01	Trust: 4.7
url:	http://www.securityfocus.com/bid/105691	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17909	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17913	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17905	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17907	Trust: 0.8
url:	http://www.us-cert.gov/control_systems/pdf/icsa-18-290-01.pdf	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99213938/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17905	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17907	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17909	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17913	Trust: 0.8
url:	https://industrial.omron.eu/	Trust: 0.3

sources: ZDI: ZDI-18-1285 // ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288 // CNVD: CNVD-2018-21479 // VULHUB: VHN-128413 // BID: 105691 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1024 // NVD: CVE-2018-17907

CREDITS

b0nd @garage4hackers

Trust: 1.4

sources: ZDI: ZDI-18-1280 // ZDI: ZDI-18-1288

SOURCES

db:	IVD	id:	e2fe53a1-39ab-11e9-af12-000c29342cb1
db:	ZDI	id:	ZDI-18-1285
db:	ZDI	id:	ZDI-18-1280
db:	ZDI	id:	ZDI-18-1288
db:	CNVD	id:	CNVD-2018-21479
db:	VULHUB	id:	VHN-128413
db:	BID	id:	105691
db:	JVNDB	id:	JVNDB-2018-008493
db:	CNNVD	id:	CNNVD-201810-1024
db:	NVD	id:	CVE-2018-17907

LAST UPDATE DATE

2024-11-23T21:38:03.068000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-18-1285	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1280	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1288	date:	2018-10-17T00:00:00
db:	CNVD	id:	CNVD-2018-21479	date:	2018-10-23T00:00:00
db:	VULHUB	id:	VHN-128413	date:	2019-10-09T00:00:00
db:	BID	id:	105691	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-008493	date:	2019-07-26T00:00:00
db:	CNNVD	id:	CNNVD-201810-1024	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-17907	date:	2024-11-21T03:55:11.030

SOURCES RELEASE DATE

db:	IVD	id:	e2fe53a1-39ab-11e9-af12-000c29342cb1	date:	2018-10-23T00:00:00
db:	ZDI	id:	ZDI-18-1285	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1280	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1288	date:	2018-10-17T00:00:00
db:	CNVD	id:	CNVD-2018-21479	date:	2018-10-19T00:00:00
db:	VULHUB	id:	VHN-128413	date:	2018-11-05T00:00:00
db:	BID	id:	105691	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-008493	date:	2018-10-19T00:00:00
db:	CNNVD	id:	CNNVD-201810-1024	date:	2018-10-18T00:00:00
db:	NVD	id:	CVE-2018-17907	date:	2018-11-05T23:29:00.270