Sign-up

ID

VAR-202109-1255


CVE

CVE-2021-38406


TITLE

Delta Electronics  Made  DOPSoft 2  Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-002380

DESCRIPTION

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process. Delta Electronics Provided by the company DOPSoft 2 The following multiple vulnerabilities exist in. * Stack-based buffer overflow ( CWE-121 ) - CVE-2021-38402 ‥ * Out-of-bounds writing ( CWE-787 ) - CVE-2021-38406 ‥ * Heap-based buffer overflow ( CWE-122 ) - CVE-2021-38404When loading a specially crafted project file, malicious code is executed with the privileges of the process in which the product runs. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of XLS files. Delta Electronics DOPSoft is a set of Human-Machine Interface (HMI) software of Taiwan Delta Electronics (Delta Electronics). Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 3.42

sources: NVD: CVE-2021-38406 // JVNDB: JVNDB-2021-002380 // ZDI: ZDI-21-960 // CNVD: CNVD-2021-70155 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-38406

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-70155

AFFECTED PRODUCTS

vendor:deltawwmodel:dopsoftscope:lteversion:2.00.07

Trust: 1.0

vendor:deltawwmodel:dopsoftscope:gteversion:2.00

Trust: 1.0

vendor:deltamodel:dopsoft 2scope:lteversion:2.00.07 and earlier

Trust: 0.8

vendor:deltamodel:dopsoft 2scope:eqversion: -

Trust: 0.8

vendor:delta industrial automationmodel:dopsoftscope: - version: -

Trust: 0.7

vendor:deltamodel:electronics dopsoftscope:eqversion:2<=2.00.07

Trust: 0.6

sources: ZDI: ZDI-21-960 // CNVD: CNVD-2021-70155 // JVNDB: JVNDB-2021-002380 // NVD: CVE-2021-38406

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-38406
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2021-38406
value: HIGH

Trust: 1.0

OTHER: JVNDB-2021-002380
value: HIGH

Trust: 0.8

ZDI: CVE-2021-38406
value: HIGH

Trust: 0.7

CNVD: CNVD-2021-70155
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-541
value: HIGH

Trust: 0.6

VULMON: CVE-2021-38406
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-38406
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2021-70155
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-38406
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-002380
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2021-38406
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-21-960 // CNVD: CNVD-2021-70155 // VULMON: CVE-2021-38406 // JVNDB: JVNDB-2021-002380 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-541 // NVD: CVE-2021-38406 // NVD: CVE-2021-38406

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:Stack-based buffer overflow (CWE-121) [ Other ]

Trust: 0.8

problemtype: Heap-based buffer overflow (CWE-122) [ Other ]

Trust: 0.8

problemtype: Out-of-bounds writing (CWE-787) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-002380 // NVD: CVE-2021-38406

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202109-541

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Contact Usurl:https://www.deltaww.com/en/customerService

Trust: 0.8

sources: JVNDB: JVNDB-2021-002380

EXTERNAL IDS

db:NVDid:CVE-2021-38406

Trust: 3.8

db:ICS CERTid:ICSA-21-252-02

Trust: 3.1

db:JVNid:JVNVU95804712

Trust: 0.8

db:JVNDBid:JVNDB-2021-002380

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13127

Trust: 0.7

db:ZDIid:ZDI-21-960

Trust: 0.7

db:CNVDid:CNVD-2021-70155

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021091004

Trust: 0.6

db:AUSCERTid:ESB-2021.3042

Trust: 0.6

db:CNNVDid:CNNVD-202109-541

Trust: 0.6

db:VULMONid:CVE-2021-38406

Trust: 0.1

sources: ZDI: ZDI-21-960 // CNVD: CNVD-2021-70155 // VULMON: CVE-2021-38406 // JVNDB: JVNDB-2021-002380 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-541 // NVD: CVE-2021-38406

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02

Trust: 3.7

url:https://jvn.jp/vu/jvnvu95804712/

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-38406

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3042

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021091004

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2021-70155 // VULMON: CVE-2021-38406 // JVNDB: JVNDB-2021-002380 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-541 // NVD: CVE-2021-38406

CREDITS

kimiya

Trust: 0.7

sources: ZDI: ZDI-21-960

SOURCES

db:ZDIid:ZDI-21-960
db:CNVDid:CNVD-2021-70155
db:VULMONid:CVE-2021-38406
db:JVNDBid:JVNDB-2021-002380
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-541
db:NVDid:CVE-2021-38406

LAST UPDATE DATE

2024-08-14T12:24:55.079000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-960date:2021-08-09T00:00:00
db:CNVDid:CNVD-2021-70155date:2022-01-18T00:00:00
db:VULMONid:CVE-2021-38406date:2021-10-04T00:00:00
db:JVNDBid:JVNDB-2021-002380date:2021-09-13T06:46:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-541date:2021-10-08T00:00:00
db:NVDid:CVE-2021-38406date:2021-10-04T18:13:12.250

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-960date:2021-08-09T00:00:00
db:CNVDid:CNVD-2021-70155date:2021-09-12T00:00:00
db:VULMONid:CVE-2021-38406date:2021-09-17T00:00:00
db:JVNDBid:JVNDB-2021-002380date:2021-09-13T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-541date:2021-09-09T00:00:00
db:NVDid:CVE-2021-38406date:2021-09-17T19:15:08.710