Sign-up

ID

VAR-201904-0506


CVE

CVE-2014-9186


TITLE

Honeywell Experion PKS File contains vulnerabilities

Trust: 0.8

sources: IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09111

DESCRIPTION

A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. The Honeywell Experion PKS presence file contains a vulnerability because it fails to adequately filter the input provided by the user. An attacker could exploit this vulnerability to obtain sensitive information or execute arbitrary script code in the context of a web server process. The following versions are affected: Honeywell Experion R40x versions prior to Experion PKS R400.6 Honeywell Experion R41x versions prior to Experion PKS R410.6 Honeywell Experion R43x versions prior to Experion PKS R430.2. An attacker could exploit the vulnerability via a file inclusion attack by submitting a crafted function to the affected software. Honeywell has confirmed the vulnerability and released updated software

Trust: 2.7

sources: NVD: CVE-2014-9186 // JVNDB: JVNDB-2014-008658 // CNVD: CNVD-2014-09111 // BID: 71753 // IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // VULMON: CVE-2014-9186

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09111

AFFECTED PRODUCTS

vendor:honeywellmodel:experion process knowledge systemscope:gteversion:r410

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r430.2

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r400.6

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:gteversion:r400

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r410.6

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:gteversion:r430

Trust: 1.0

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r43x

Trust: 0.8

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r41x

Trust: 0.8

vendor:honeywellmodel:experion process knowledge systemscope:eqversion:r430.2

Trust: 0.8

vendor:honeywellmodel:experion process knowledge systemscope:eqversion:r410.6

Trust: 0.8

vendor:honeywellmodel:experion process knowledge systemscope:eqversion:r400.6

Trust: 0.8

vendor:honeywellmodel:experion process knowledge systemscope:ltversion:r40x

Trust: 0.8

vendor:experion process knowledge systemmodel: - scope:eqversion:*

Trust: 0.6

vendor:honeywellmodel:experion pks r40xscope: - version: -

Trust: 0.6

vendor:honeywellmodel:experion pks r41xscope: - version: -

Trust: 0.6

vendor:honeywellmodel:experion pks r43xscope: - version: -

Trust: 0.6

sources: IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09111 // JVNDB: JVNDB-2014-008658 // NVD: CVE-2014-9186

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-9186
value: CRITICAL

Trust: 1.0

NVD: CVE-2014-9186
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2014-09111
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201412-506
value: CRITICAL

Trust: 0.6

IVD: b3aa354c-2351-11e6-abef-000c29c66e3d
value: CRITICAL

Trust: 0.2

VULMON: CVE-2014-9186
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-9186
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2014-09111
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b3aa354c-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2014-9186
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09111 // VULMON: CVE-2014-9186 // JVNDB: JVNDB-2014-008658 // CNNVD: CNNVD-201412-506 // NVD: CVE-2014-9186

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

problemtype:CWE-98

Trust: 1.0

sources: JVNDB: JVNDB-2014-008658 // NVD: CVE-2014-9186

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-506

TYPE

Input validation error

Trust: 1.1

sources: IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // BID: 71753 // CNNVD: CNNVD-201412-506

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008658

PATCH
title:Experion PKSurl:https://www.honeywellprocess.com/en-US/explore/products/control-monitoring-and-safety-systems/integrated-control-and-safety-systems/experion-pks/Pages/default.aspx
Trust: 0.8
title:Honeywell Experion PKS file contains patches for vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/53116
Trust: 0.6
title:Honeywell International Experion PKS Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91622
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-09111 // 
            
            
            
            JVNDB: JVNDB-2014-008658 // 
            
            
            
            CNNVD: CNNVD-201412-506

EXTERNAL IDS
db:NVDid:CVE-2014-9186
Trust: 3.6
db:ICS CERTid:ICSA-14-352-01
Trust: 2.5
db:BIDid:71753
Trust: 0.9
db:CNVDid:CNVD-2014-09111
Trust: 0.8
db:CNNVDid:CNNVD-201412-506
Trust: 0.8
db:JVNDBid:JVNDB-2014-008658
Trust: 0.8
db:IVDid:B3AA354C-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULMONid:CVE-2014-9186
Trust: 0.1
sources:
            
            
            IVD: b3aa354c-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-09111 // 
            
            
            
            VULMON: CVE-2014-9186 // 
            
            
            
            BID: 71753 // 
            
            
            
            JVNDB: JVNDB-2014-008658 // 
            
            
            
            CNNVD: CNNVD-201412-506 // 
            
            
            
            NVD: CVE-2014-9186

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-352-01
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2014-9186
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9186
Trust: 0.8
url:http://www.securityfocus.com/bid/71753
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/20.html
Trust: 0.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=36833
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-09111 // 
            
            
            
            VULMON: CVE-2014-9186 // 
            
            
            
            JVNDB: JVNDB-2014-008658 // 
            
            
            
            CNNVD: CNNVD-201412-506 // 
            
            
            
            NVD: CVE-2014-9186

CREDITS
Kirill Nesterov,Alexander Tlyapov, Gleb Gritsai, Artem Chaykin and Ilya Karpov of the Positive Technologies Research Team and Security Lab
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201412-506

SOURCES
db:IVDid:b3aa354c-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-09111
db:VULMONid:CVE-2014-9186
db:BIDid:71753
db:JVNDBid:JVNDB-2014-008658
db:CNNVDid:CNNVD-201412-506
db:NVDid:CVE-2014-9186

LAST UPDATE DATE
2024-11-23T22:45:04.482000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-09111date:2014-12-26T00:00:00
db:VULMONid:CVE-2014-9186date:2019-10-09T00:00:00
db:BIDid:71753date:2014-12-19T00:00:00
db:JVNDBid:JVNDB-2014-008658date:2019-05-13T00:00:00
db:CNNVDid:CNNVD-201412-506date:2019-04-19T00:00:00
db:NVDid:CVE-2014-9186date:2024-11-21T02:20:21.767

SOURCES RELEASE DATE
db:IVDid:b3aa354c-2351-11e6-abef-000c29c66e3ddate:2014-12-25T00:00:00
db:CNVDid:CNVD-2014-09111date:2014-12-25T00:00:00
db:VULMONid:CVE-2014-9186date:2019-04-08T00:00:00
db:BIDid:71753date:2014-12-19T00:00:00
db:JVNDBid:JVNDB-2014-008658date:2019-05-13T00:00:00
db:CNNVDid:CNNVD-201412-506date:2014-12-25T00:00:00
db:NVDid:CVE-2014-9186date:2019-04-08T16:29:00.493