Details of VAR-201811-0101

ID

VAR-201811-0101

CVE

CVE-2018-17909

TITLE

OMRON CX-Supervisor SCS File Parsing Use-After-Free Remote Code Execution Vulnerability

Trust: 2.8

sources: ZDI: ZDI-18-1283 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1281

DESCRIPTION

When processing project files in Omron CX-Supervisor Versions 3.4.1.0 and prior, the application fails to check if it is referencing freed memory, which may allow an attacker to execute code under the context of the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of SCS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. The Omron CX-Supervisor is a visual machine controller from Omron, Japan. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. Multiple remote code-execution vulnerabilities 2. A memory-corruption vulnerability 3. A use-after-free vulnerability exists in Omron CX-Supervisor 3.4.1.0 and earlier versions

Trust: 6.48

sources: NVD: CVE-2018-17909 // JVNDB: JVNDB-2018-008493 // ZDI: ZDI-18-1283 // ZDI: ZDI-18-1446 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1282 // ZDI: ZDI-18-1281 // CNVD: CNVD-2018-21476 // BID: 105691 // IVD: e2fe53a0-39ab-11e9-b9bc-000c29342cb1 // VULHUB: VHN-128415

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2fe53a0-39ab-11e9-b9bc-000c29342cb1 // CNVD: CNVD-2018-21476

AFFECTED PRODUCTS

vendor:	omron	model:	cx-supervisor	scope:	-	version:	-	Trust: 4.2
vendor:	omron	model:	cx-supervisor	scope:	lte	version:	3.4.1.0	Trust: 1.0
vendor:	omron	model:	cx-supervisor	scope:	lte	version:	version 3.4.1	Trust: 0.8
vendor:	omron	model:	cx-supervisor	scope:	lte	version:	<=3.4.1.0	Trust: 0.6
vendor:	omron	model:	cx-supervisor	scope:	eq	version:	3.4.1.0	Trust: 0.6
vendor:	omron	model:	cx-supervisor	scope:	eq	version:	3.4.1	Trust: 0.3
vendor:	omron	model:	cx-supervisor	scope:	ne	version:	3.4.2	Trust: 0.3
vendor:	cx supervisor	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2fe53a0-39ab-11e9-b9bc-000c29342cb1 // ZDI: ZDI-18-1283 // ZDI: ZDI-18-1446 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1282 // ZDI: ZDI-18-1281 // CNVD: CNVD-2018-21476 // BID: 105691 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1025 // NVD: CVE-2018-17909

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2018-17909
value:	MEDIUM
Trust: 3.5
JPCERT/CC:	JVNDB-2018-008493
value:	MEDIUM
Trust: 1.6
nvd@nist.gov:	CVE-2018-17909
value:	HIGH
Trust: 1.0
JPCERT/CC:	JVNDB-2018-008493
value:	HIGH
Trust: 0.8
JPCERT/CC:	JVNDB-2018-008493
value:	LOW
Trust: 0.8
ZDI:	CVE-2018-17909
value:	CRITICAL
Trust: 0.7
CNVD:	CNVD-2018-21476
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201810-1025
value:	HIGH
Trust: 0.6
IVD:	e2fe53a0-39ab-11e9-b9bc-000c29342cb1
value:	HIGH
Trust: 0.2
VULHUB:	VHN-128415
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-17909
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 4.5
JPCERT/CC:	JVNDB-2018-008493
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.6
JPCERT/CC:	JVNDB-2018-008493
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
JPCERT/CC:	JVNDB-2018-008493
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2018-21476
severity:	LOW
baseScore:	3.7
vectorString:	AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	1.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fe53a0-39ab-11e9-b9bc-000c29342cb1
severity:	LOW
baseScore:	3.7
vectorString:	AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	1.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-128415
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

JPCERT/CC:	JVNDB-2018-008493
baseSeverity:	MEDIUM
baseScore:	4.5
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 1.6
nvd@nist.gov:	CVE-2018-17909
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.0
JPCERT/CC:	JVNDB-2018-008493
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
JPCERT/CC:	JVNDB-2018-008493
baseSeverity:	LOW
baseScore:	2.5
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2018-17909
baseSeverity:	CRITICAL
baseScore:	7.0
vectorString:	AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: IVD: e2fe53a0-39ab-11e9-b9bc-000c29342cb1 // ZDI: ZDI-18-1283 // ZDI: ZDI-18-1446 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1282 // ZDI: ZDI-18-1281 // CNVD: CNVD-2018-21476 // VULHUB: VHN-128415 // JVNDB: JVNDB-2018-008493 // JVNDB: JVNDB-2018-008493 // JVNDB: JVNDB-2018-008493 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1025 // NVD: CVE-2018-17909

PROBLEMTYPE DATA

problemtype:

CWE-416

Trust: 1.1

sources: VULHUB: VHN-128415 // NVD: CVE-2018-17909

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1025

TYPE

Resource management error

Trust: 0.8

sources: IVD: e2fe53a0-39ab-11e9-b9bc-000c29342cb1 // CNNVD: CNNVD-201810-1025

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008493

PATCH

title:	OMRON has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-18-290-01	Trust: 4.2
title:	Release Notes For CX-Supervisor 3.4.2	url:	https://www.myomron.com/index.php?article=1709&action=kb	Trust: 0.8
title:	Omron CX-Supervisor code execution vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/142869	Trust: 0.6
title:	Omron CX-Supervisor Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86089	Trust: 0.6

sources: ZDI: ZDI-18-1283 // ZDI: ZDI-18-1446 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1282 // ZDI: ZDI-18-1281 // CNVD: CNVD-2018-21476 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1025

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17909	Trust: 7.8
db:	ICS CERT	id:	ICSA-18-290-01	Trust: 3.4
db:	BID	id:	105691	Trust: 2.0
db:	CNNVD	id:	CNNVD-201810-1025	Trust: 0.9
db:	CNVD	id:	CNVD-2018-21476	Trust: 0.8
db:	JVN	id:	JVNVU99213938	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-008493	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-6403	Trust: 0.7
db:	ZDI	id:	ZDI-18-1283	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6657	Trust: 0.7
db:	ZDI	id:	ZDI-18-1446	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6402	Trust: 0.7
db:	ZDI	id:	ZDI-18-1284	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6446	Trust: 0.7
db:	ZDI	id:	ZDI-18-1279	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6581	Trust: 0.7
db:	ZDI	id:	ZDI-18-1282	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6582	Trust: 0.7
db:	ZDI	id:	ZDI-18-1281	Trust: 0.7
db:	IVD	id:	E2FE53A0-39AB-11E9-B9BC-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-128415	Trust: 0.1

sources: IVD: e2fe53a0-39ab-11e9-b9bc-000c29342cb1 // ZDI: ZDI-18-1283 // ZDI: ZDI-18-1446 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1282 // ZDI: ZDI-18-1281 // CNVD: CNVD-2018-21476 // VULHUB: VHN-128415 // BID: 105691 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1025 // NVD: CVE-2018-17909

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-290-01	Trust: 6.8
url:	http://www.securityfocus.com/bid/105691	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17909	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17913	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17905	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17907	Trust: 0.8
url:	http://www.us-cert.gov/control_systems/pdf/icsa-18-290-01.pdf	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99213938/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17905	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17907	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17909	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17913	Trust: 0.8
url:	https://industrial.omron.eu/	Trust: 0.3

sources: ZDI: ZDI-18-1283 // ZDI: ZDI-18-1446 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279 // ZDI: ZDI-18-1282 // ZDI: ZDI-18-1281 // CNVD: CNVD-2018-21476 // VULHUB: VHN-128415 // BID: 105691 // JVNDB: JVNDB-2018-008493 // CNNVD: CNNVD-201810-1025 // NVD: CVE-2018-17909

CREDITS

b0nd @garage4hackers

Trust: 2.1

sources: ZDI: ZDI-18-1283 // ZDI: ZDI-18-1284 // ZDI: ZDI-18-1279

SOURCES

db:	IVD	id:	e2fe53a0-39ab-11e9-b9bc-000c29342cb1
db:	ZDI	id:	ZDI-18-1283
db:	ZDI	id:	ZDI-18-1446
db:	ZDI	id:	ZDI-18-1284
db:	ZDI	id:	ZDI-18-1279
db:	ZDI	id:	ZDI-18-1282
db:	ZDI	id:	ZDI-18-1281
db:	CNVD	id:	CNVD-2018-21476
db:	VULHUB	id:	VHN-128415
db:	BID	id:	105691
db:	JVNDB	id:	JVNDB-2018-008493
db:	CNNVD	id:	CNNVD-201810-1025
db:	NVD	id:	CVE-2018-17909

LAST UPDATE DATE

2024-11-23T21:38:03.001000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-18-1283	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1446	date:	2019-01-24T00:00:00
db:	ZDI	id:	ZDI-18-1284	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1279	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1282	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1281	date:	2018-10-17T00:00:00
db:	CNVD	id:	CNVD-2018-21476	date:	2018-10-23T00:00:00
db:	VULHUB	id:	VHN-128415	date:	2019-10-09T00:00:00
db:	BID	id:	105691	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-008493	date:	2019-07-26T00:00:00
db:	CNNVD	id:	CNNVD-201810-1025	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-17909	date:	2024-11-21T03:55:11.267

SOURCES RELEASE DATE

db:	IVD	id:	e2fe53a0-39ab-11e9-b9bc-000c29342cb1	date:	2018-10-23T00:00:00
db:	ZDI	id:	ZDI-18-1283	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1446	date:	2019-01-24T00:00:00
db:	ZDI	id:	ZDI-18-1284	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1279	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1282	date:	2018-10-17T00:00:00
db:	ZDI	id:	ZDI-18-1281	date:	2018-10-17T00:00:00
db:	CNVD	id:	CNVD-2018-21476	date:	2018-10-19T00:00:00
db:	VULHUB	id:	VHN-128415	date:	2018-11-05T00:00:00
db:	BID	id:	105691	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-008493	date:	2018-10-19T00:00:00
db:	CNNVD	id:	CNNVD-201810-1025	date:	2018-10-18T00:00:00
db:	NVD	id:	CVE-2018-17909	date:	2018-11-05T23:29:00.317