ID

VAR-201906-0209


CVE

CVE-2019-6532


TITLE

Panasonic Control FPWIN Pro Project File Parsing sc_obj Type Confusion Remote Code Execution Vulnerability

Trust: 1.4

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570

DESCRIPTION

Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created project files to be loaded by an authenticated user triggering incompatible type errors because the resource does not have expected properties. This may lead to remote code execution. Panasonic FPWIN Pro Contains an illegal type conversion vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Panasonic Control FPWin Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PRO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the process. Failed exploits may result in denial-of-service conditions. Panasonic FPWIN Pro Version 7.3.0.0 and prior versions are vulnerable; other versions may also be affected

Trust: 3.78

sources: NVD: CVE-2019-6532 // JVNDB: JVNDB-2019-005356 // ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566 // BID: 108683

AFFECTED PRODUCTS

vendor:panasonicmodel:control fpwin proscope: - version: -

Trust: 2.1

vendor:panasonicmodel:control fpwin proscope:lteversion:7.3.0.0

Trust: 1.0

vendor:panasonicmodel:fpwin proscope:lteversion:7.3.0.0

Trust: 0.8

vendor:panasonicmodel:control fpwin proscope:eqversion:7.3.0.0

Trust: 0.3

vendor:panasonicmodel:control fpwin proscope:neversion:7.3.1.0

Trust: 0.3

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566 // BID: 108683 // JVNDB: JVNDB-2019-005356 // NVD: CVE-2019-6532

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2019-6532
value: HIGH

Trust: 2.1

nvd@nist.gov: CVE-2019-6532
value: HIGH

Trust: 1.0

NVD: CVE-2019-6532
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-279
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-6532
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2019-6532
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 2.1

nvd@nist.gov: CVE-2019-6532
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-6532
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566 // JVNDB: JVNDB-2019-005356 // CNNVD: CNNVD-201906-279 // NVD: CVE-2019-6532

PROBLEMTYPE DATA

problemtype:CWE-843

Trust: 1.0

problemtype:CWE-704

Trust: 0.8

sources: JVNDB: JVNDB-2019-005356 // NVD: CVE-2019-6532

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201906-279

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-279

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005356

PATCH

title:Panasonic has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-19-157-02

Trust: 2.1

title:FPWIN Prourl:https://www.panasonic-electric-works.com/eu/plc-software-control-fpwin-pro.htm

Trust: 0.8

title:Panasonic FPWIN Pro Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93360

Trust: 0.6

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566 // JVNDB: JVNDB-2019-005356 // CNNVD: CNNVD-201906-279

EXTERNAL IDS

db:NVDid:CVE-2019-6532

Trust: 4.8

db:ICS CERTid:ICSA-19-157-02

Trust: 2.7

db:ZDIid:ZDI-19-568

Trust: 2.3

db:ZDIid:ZDI-19-570

Trust: 2.3

db:ZDIid:ZDI-19-566

Trust: 2.3

db:BIDid:108683

Trust: 1.9

db:JVNDBid:JVNDB-2019-005356

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-7851

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-7850

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-7849

Trust: 0.7

db:AUSCERTid:ESB-2019.2044

Trust: 0.6

db:CNNVDid:CNNVD-201906-279

Trust: 0.6

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566 // BID: 108683 // JVNDB: JVNDB-2019-005356 // CNNVD: CNNVD-201906-279 // NVD: CVE-2019-6532

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-19-157-02

Trust: 5.4

url:https://www.zerodayinitiative.com/advisories/zdi-19-570/

Trust: 2.2

url:http://www.securityfocus.com/bid/108683

Trust: 2.2

url:https://www.zerodayinitiative.com/advisories/zdi-19-568/

Trust: 1.6

url:https://www.zerodayinitiative.com/advisories/zdi-19-566/

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-6532

Trust: 1.4

url:http://panasonic.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6532

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.2044/

Trust: 0.6

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566 // BID: 108683 // JVNDB: JVNDB-2019-005356 // CNNVD: CNNVD-201906-279 // NVD: CVE-2019-6532

CREDITS

9sg Security Team

Trust: 2.1

sources: ZDI: ZDI-19-568 // ZDI: ZDI-19-570 // ZDI: ZDI-19-566

SOURCES

db:ZDIid:ZDI-19-568
db:ZDIid:ZDI-19-570
db:ZDIid:ZDI-19-566
db:BIDid:108683
db:JVNDBid:JVNDB-2019-005356
db:CNNVDid:CNNVD-201906-279
db:NVDid:CVE-2019-6532

LAST UPDATE DATE

2024-08-14T13:44:58.166000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-19-568date:2019-06-13T00:00:00
db:ZDIid:ZDI-19-570date:2019-06-13T00:00:00
db:ZDIid:ZDI-19-566date:2019-06-13T00:00:00
db:BIDid:108683date:2019-06-06T00:00:00
db:JVNDBid:JVNDB-2019-005356date:2019-06-19T00:00:00
db:CNNVDid:CNNVD-201906-279date:2020-10-09T00:00:00
db:NVDid:CVE-2019-6532date:2020-10-06T18:11:17.167

SOURCES RELEASE DATE

db:ZDIid:ZDI-19-568date:2019-06-13T00:00:00
db:ZDIid:ZDI-19-570date:2019-06-13T00:00:00
db:ZDIid:ZDI-19-566date:2019-06-13T00:00:00
db:BIDid:108683date:2019-06-06T00:00:00
db:JVNDBid:JVNDB-2019-005356date:2019-06-19T00:00:00
db:CNNVDid:CNNVD-201906-279date:2019-06-06T00:00:00
db:NVDid:CVE-2019-6532date:2019-06-07T14:29:00.480