Sign-up

ID

VAR-201903-0651


CVE

CVE-2014-9187


TITLE

Honeywell Experion PKS Module buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-008655

DESCRIPTION

Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Honeywell Experion PKS has multiple remote heap buffer overflow vulnerabilities because it fails to perform sufficient boundary checking on user-supplied inputs. Allows an attacker to exploit a vulnerability to execute arbitrary code or initiate a denial of service attack in the context of the affected user's application. The following versions are affected: Honeywell Experion R40x versions prior to Experion PKS R400.6 Honeywell Experion R41x versions prior to Experion PKS R410.6 Honeywell Experion R43x versions prior to Experion PKS R430.2

Trust: 2.61

sources: NVD: CVE-2014-9187 // JVNDB: JVNDB-2014-008655 // CNVD: CNVD-2014-09113 // BID: 71749 // IVD: b3c56baa-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: b3c56baa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09113

AFFECTED PRODUCTS

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r400.6

Trust: 1.8

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r410.6

Trust: 1.8

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r430.2

Trust: 1.8

vendor:honeywellmodel:experion process knowledge systemscope:gteversion:r400

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:gteversion:r410

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:gteversion:r430

Trust: 1.0

vendor:experion process knowledge systemmodel: - scope:eqversion:*

Trust: 0.6

vendor:honeywellmodel:experion pks r40xscope: - version: -

Trust: 0.6

vendor:honeywellmodel:experion pks r41xscope: - version: -

Trust: 0.6

vendor:honeywellmodel:experion pks r43xscope: - version: -

Trust: 0.6

vendor:honeywellmodel:experion pks r430.1scope: - version: -

Trust: 0.3

vendor:honeywellmodel:experion pks r430scope: - version: -

Trust: 0.3

vendor:honeywellmodel:experion pks r410.5scope: - version: -

Trust: 0.3

vendor:honeywellmodel:experion pks r410scope: - version: -

Trust: 0.3

vendor:honeywellmodel:experion pks r400.5scope: - version: -

Trust: 0.3

vendor:honeywellmodel:experion pks r400scope: - version: -

Trust: 0.3

vendor:honeywellmodel:experion pks r430.2scope:neversion: -

Trust: 0.3

vendor:honeywellmodel:experion pks r410.6scope:neversion: -

Trust: 0.3

vendor:honeywellmodel:experion pks r400.6scope:neversion: -

Trust: 0.3

sources: IVD: b3c56baa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09113 // BID: 71749 // JVNDB: JVNDB-2014-008655 // NVD: CVE-2014-9187

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-9187
value: CRITICAL

Trust: 1.0

NVD: CVE-2014-9187
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2014-09113
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201412-511
value: CRITICAL

Trust: 0.6

IVD: b3c56baa-2351-11e6-abef-000c29c66e3d
value: CRITICAL

Trust: 0.2

nvd@nist.gov: CVE-2014-9187
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-09113
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b3c56baa-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2014-9187
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: b3c56baa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09113 // JVNDB: JVNDB-2014-008655 // CNNVD: CNNVD-201412-511 // NVD: CVE-2014-9187

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

problemtype:CWE-122

Trust: 1.0

sources: JVNDB: JVNDB-2014-008655 // NVD: CVE-2014-9187

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-511

TYPE

Buffer error

Trust: 0.8

sources: IVD: b3c56baa-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201412-511

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008655

PATCH
title:Experion PKSurl:https://www.honeywellprocess.com/en-US/explore/products/control-monitoring-and-safety-systems/integrated-control-and-safety-systems/experion-pks/Pages/default.aspx
Trust: 0.8
title:Honeywell Experion PKS has multiple patches for remote heap buffer overflow vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/53118
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-09113 // 
            
            
            
            JVNDB: JVNDB-2014-008655

EXTERNAL IDS
db:NVDid:CVE-2014-9187
Trust: 3.5
db:ICS CERTid:ICSA-14-352-01
Trust: 2.7
db:BIDid:71749
Trust: 0.9
db:CNVDid:CNVD-2014-09113
Trust: 0.8
db:CNNVDid:CNNVD-201412-511
Trust: 0.8
db:JVNDBid:JVNDB-2014-008655
Trust: 0.8
db:IVDid:B3C56BAA-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: b3c56baa-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-09113 // 
            
            
            
            BID: 71749 // 
            
            
            
            JVNDB: JVNDB-2014-008655 // 
            
            
            
            CNNVD: CNNVD-201412-511 // 
            
            
            
            NVD: CVE-2014-9187

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-352-01
Trust: 2.7
url:https://nvd.nist.gov/vuln/detail/cve-2014-9187
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9187
Trust: 0.8
url:http://www.securityfocus.com/bid/71749
Trust: 0.6
url:https://www.honeywellprocess.com/en-us/training/programs/control-monitoring-and-safety-systems/pages/experion-pks.aspx
Trust: 0.3
url:http://s1018729.instanturl.net/wp-content/uploads/2013/01/overview_epdoc-xx81-en-410.pdf
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-09113 // 
            
            
            
            BID: 71749 // 
            
            
            
            JVNDB: JVNDB-2014-008655 // 
            
            
            
            CNNVD: CNNVD-201412-511 // 
            
            
            
            NVD: CVE-2014-9187

CREDITS
Kirill Nesterov,Alexander Tlyapov, Gleb Gritsai, Artem Chaykin and Ilya Karpov of the Positive Technologies Research Team and Security Lab
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201412-511

SOURCES
db:IVDid:b3c56baa-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-09113
db:BIDid:71749
db:JVNDBid:JVNDB-2014-008655
db:CNNVDid:CNNVD-201412-511
db:NVDid:CVE-2014-9187

LAST UPDATE DATE
2024-08-14T13:55:35.873000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-09113date:2014-12-25T00:00:00
db:BIDid:71749date:2014-12-18T00:00:00
db:JVNDBid:JVNDB-2014-008655date:2019-05-10T00:00:00
db:CNNVDid:CNNVD-201412-511date:2019-04-10T00:00:00
db:NVDid:CVE-2014-9187date:2019-10-09T23:12:24.390

SOURCES RELEASE DATE
db:IVDid:b3c56baa-2351-11e6-abef-000c29c66e3ddate:2014-12-25T00:00:00
db:CNVDid:CNVD-2014-09113date:2014-12-25T00:00:00
db:BIDid:71749date:2014-12-18T00:00:00
db:JVNDBid:JVNDB-2014-008655date:2019-05-10T00:00:00
db:CNNVDid:CNNVD-201412-511date:2014-12-25T00:00:00
db:NVDid:CVE-2014-9187date:2019-03-25T20:29:00.253