Details of VAR-201908-0866

ID

VAR-201908-0866

CVE

CVE-2019-13514

TITLE

Delta Electronics Industrial Automation DOPSoft Resource Management Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-17023 // CNNVD: CNNVD-201908-1052

DESCRIPTION

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application. Delta Industrial Automation DOPSoft Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPA files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Delta Electronics Industrial Automation DOPSoft is a set of human-machine interface (HMI) software from Taiwan's Delta Electronics (Delta Electronics) company

Trust: 2.88

sources: NVD: CVE-2019-13514 // JVNDB: JVNDB-2019-008309 // ZDI: ZDI-19-717 // CNVD: CNVD-2020-17023 // VULMON: CVE-2019-13514

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-17023

AFFECTED PRODUCTS

vendor:	deltaww	model:	delta industrial automation dopsoft	scope:	lte	version:	4.00.06.15	Trust: 1.0
vendor:	delta	model:	industrial automation dopsoft	scope:	lte	version:	4.00.06.15	Trust: 0.8
vendor:	delta industrial automation	model:	dopsoft	scope:	-	version:	-	Trust: 0.7
vendor:	delta	model:	electronics delta industrial automation dopsoft	scope:	lte	version:	<=4.00.06.15	Trust: 0.6

sources: ZDI: ZDI-19-717 // CNVD: CNVD-2020-17023 // JVNDB: JVNDB-2019-008309 // NVD: CVE-2019-13514

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13514
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-13514
value:	HIGH
Trust: 0.8
ZDI:	CVE-2019-13514
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2020-17023
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201908-1052
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-13514
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-13514
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-17023
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-13514
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-13514
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2019-13514
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-19-717 // CNVD: CNVD-2020-17023 // VULMON: CVE-2019-13514 // JVNDB: JVNDB-2019-008309 // CNNVD: CNNVD-201908-1052 // NVD: CVE-2019-13514

PROBLEMTYPE DATA

problemtype:

CWE-416

Trust: 1.8

sources: JVNDB: JVNDB-2019-008309 // NVD: CVE-2019-13514

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201908-1052

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201908-1052

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008309

PATCH

title:	Top Page	url:	http://www.deltaww.com/	Trust: 0.8
title:	Delta Industrial Automation has issued an update to correct this vulnerability.	url:	https://www.us-cert.gov/ics/advisories/icsa-19-225-01	Trust: 0.7
title:	Patch for Delta Electronics Industrial Automation DOPSoft Resource Management Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/208773	Trust: 0.6
title:	Delta Industrial Automation DOPSoft Remediation of resource management error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96729	Trust: 0.6

sources: ZDI: ZDI-19-717 // CNVD: CNVD-2020-17023 // JVNDB: JVNDB-2019-008309 // CNNVD: CNNVD-201908-1052

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13514	Trust: 3.8
db:	ICS CERT	id:	ICSA-19-225-01	Trust: 3.1
db:	ZDI	id:	ZDI-19-717	Trust: 2.4
db:	JVNDB	id:	JVNDB-2019-008309	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-8250	Trust: 0.7
db:	CNVD	id:	CNVD-2020-17023	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3104	Trust: 0.6
db:	CNNVD	id:	CNNVD-201908-1052	Trust: 0.6
db:	VULMON	id:	CVE-2019-13514	Trust: 0.1

sources: ZDI: ZDI-19-717 // CNVD: CNVD-2020-17023 // VULMON: CVE-2019-13514 // JVNDB: JVNDB-2019-008309 // CNNVD: CNNVD-201908-1052 // NVD: CVE-2019-13514

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-225-01	Trust: 3.8
url:	https://www.zerodayinitiative.com/advisories/zdi-19-717/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13514	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13514	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3104/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/416.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/165328	Trust: 0.1

sources: ZDI: ZDI-19-717 // CNVD: CNVD-2020-17023 // VULMON: CVE-2019-13514 // JVNDB: JVNDB-2019-008309 // CNNVD: CNNVD-201908-1052 // NVD: CVE-2019-13514

CREDITS

kimiya of 9SG Security Team - kimiya@9sgsec.com

Trust: 0.7

sources: ZDI: ZDI-19-717

SOURCES

db:	ZDI	id:	ZDI-19-717
db:	CNVD	id:	CNVD-2020-17023
db:	VULMON	id:	CVE-2019-13514
db:	JVNDB	id:	JVNDB-2019-008309
db:	CNNVD	id:	CNNVD-201908-1052
db:	NVD	id:	CVE-2019-13514

LAST UPDATE DATE

2024-11-23T21:59:47.126000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-19-717	date:	2019-08-16T00:00:00
db:	CNVD	id:	CNVD-2020-17023	date:	2020-03-13T00:00:00
db:	VULMON	id:	CVE-2019-13514	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-008309	date:	2019-08-29T00:00:00
db:	CNNVD	id:	CNNVD-201908-1052	date:	2019-09-04T00:00:00
db:	NVD	id:	CVE-2019-13514	date:	2024-11-21T04:25:03.007

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-19-717	date:	2019-08-16T00:00:00
db:	CNVD	id:	CNVD-2020-17023	date:	2020-03-13T00:00:00
db:	VULMON	id:	CVE-2019-13514	date:	2019-08-15T00:00:00
db:	JVNDB	id:	JVNDB-2019-008309	date:	2019-08-29T00:00:00
db:	CNNVD	id:	CNNVD-201908-1052	date:	2019-08-14T00:00:00
db:	NVD	id:	CVE-2019-13514	date:	2019-08-15T19:15:11.153