Details of VAR-201411-0420

ID

VAR-201411-0420

CVE

CVE-2014-5424

TITLE

Rockwell Automation Connected Components Workbench Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2014-005454

DESCRIPTION

Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the RA.ViewElements.Grid.1 ActiveXControl method. By providing a malicious value to the LeftXOffset property, an attacker can write a four byte null value to an arbitrary location. An attacker could use this to execute arbitrary code in the context of the browser. Rockwell Automation CCW is an HMI editor and component-level industrial product for designing and configuring applications and implementing microcontrollers. Failed exploit attempts will likely result in denial-of-service conditions. Rockwell Automation CCW 6.01.00 and prior are vulnerable. The software can be used for controller programming and device configuration, and is integrated with an HMI editor to further simplify stand-alone device programming. A security vulnerability exists in Rockwell Automation CCW versions prior to 7.00.00 due to the program using an older version of the compiler to create custom ActiveX components

Trust: 3.96

sources: NVD: CVE-2014-5424 // JVNDB: JVNDB-2014-005454 // ZDI: ZDI-14-384 // ZDI: ZDI-14-383 // CNVD: CNVD-2014-08308 // BID: 71052 // IVD: b9014a1c-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-73365

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: b9014a1c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08308

AFFECTED PRODUCTS

vendor:	rockwell automation	model:	connected components workbench	scope:	-	version:	-	Trust: 1.4
vendor:	rockwellautomation	model:	connected components workbench	scope:	lte	version:	6.01.00	Trust: 1.0
vendor:	rockwell automation	model:	connected components workbench	scope:	lt	version:	7.00.00	Trust: 0.8
vendor:	rockwell	model:	software rockwell automation ccw	scope:	lte	version:	<=6.01.00	Trust: 0.6
vendor:	rockwellautomation	model:	connected components workbench	scope:	eq	version:	6.01.00	Trust: 0.6
vendor:	connected components workbench	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: b9014a1c-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-384 // ZDI: ZDI-14-383 // CNVD: CNVD-2014-08308 // JVNDB: JVNDB-2014-005454 // CNNVD: CNNVD-201411-206 // NVD: CVE-2014-5424

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2014-5424
value:	HIGH
Trust: 1.4
nvd@nist.gov:	CVE-2014-5424
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-5424
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-08308
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201411-206
value:	HIGH
Trust: 0.6
IVD:	b9014a1c-2351-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2
VULHUB:	VHN-73365
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-5424
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 3.2
CNVD:	CNVD-2014-08308
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	b9014a1c-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-73365
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: b9014a1c-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-384 // ZDI: ZDI-14-383 // CNVD: CNVD-2014-08308 // VULHUB: VHN-73365 // JVNDB: JVNDB-2014-005454 // CNNVD: CNNVD-201411-206 // NVD: CVE-2014-5424

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-73365 // JVNDB: JVNDB-2014-005454 // NVD: CVE-2014-5424

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-206

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201411-206

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005454

PATCH

title:	Rockwell Automation has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-14-294-01	Trust: 1.4
title:	Top Page	url:	http://www.rockwellautomation.com/	Trust: 0.8
title:	トップページ	url:	http://www.rockwellautomation.com/jpn/overview.page	Trust: 0.8
title:	Rockwell Automation Connected Components Workbench has multiple patches for arbitrary code execution vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/51910	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartD	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52441	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartC	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52440	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartG	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52444	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartB	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52439	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartF	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52443	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartA	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52438	Trust: 0.6
title:	7.00.00-CCW-Std-DVD-PartE	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52442	Trust: 0.6

sources: ZDI: ZDI-14-384 // ZDI: ZDI-14-383 // CNVD: CNVD-2014-08308 // JVNDB: JVNDB-2014-005454 // CNNVD: CNNVD-201411-206

EXTERNAL IDS

db:	NVD	id:	CVE-2014-5424	Trust: 5.0
db:	ICS CERT	id:	ICSA-14-294-01	Trust: 3.1
db:	BID	id:	71052	Trust: 1.0
db:	CNVD	id:	CNVD-2014-08308	Trust: 0.8
db:	CNNVD	id:	CNNVD-201411-206	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-005454	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2418	Trust: 0.7
db:	ZDI	id:	ZDI-14-384	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2417	Trust: 0.7
db:	ZDI	id:	ZDI-14-383	Trust: 0.7
db:	IVD	id:	B9014A1C-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-73365	Trust: 0.1

sources: IVD: b9014a1c-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-384 // ZDI: ZDI-14-383 // CNVD: CNVD-2014-08308 // VULHUB: VHN-73365 // BID: 71052 // JVNDB: JVNDB-2014-005454 // CNNVD: CNNVD-201411-206 // NVD: CVE-2014-5424

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-14-294-01	Trust: 4.5
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5424	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5424	Trust: 0.8

sources: ZDI: ZDI-14-384 // ZDI: ZDI-14-383 // CNVD: CNVD-2014-08308 // VULHUB: VHN-73365 // JVNDB: JVNDB-2014-005454 // CNNVD: CNNVD-201411-206 // NVD: CVE-2014-5424

CREDITS

Andrea Micalizzi (rgod)

Trust: 1.4

sources: ZDI: ZDI-14-384 // ZDI: ZDI-14-383

SOURCES

db:	IVD	id:	b9014a1c-2351-11e6-abef-000c29c66e3d
db:	ZDI	id:	ZDI-14-384
db:	ZDI	id:	ZDI-14-383
db:	CNVD	id:	CNVD-2014-08308
db:	VULHUB	id:	VHN-73365
db:	BID	id:	71052
db:	JVNDB	id:	JVNDB-2014-005454
db:	CNNVD	id:	CNNVD-201411-206
db:	NVD	id:	CVE-2014-5424

LAST UPDATE DATE

2025-04-12T23:24:40.826000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-14-384	date:	2014-11-19T00:00:00
db:	ZDI	id:	ZDI-14-383	date:	2014-11-19T00:00:00
db:	CNVD	id:	CNVD-2014-08308	date:	2014-11-17T00:00:00
db:	VULHUB	id:	VHN-73365	date:	2014-11-14T00:00:00
db:	BID	id:	71052	date:	2014-11-24T00:56:00
db:	JVNDB	id:	JVNDB-2014-005454	date:	2014-11-17T00:00:00
db:	CNNVD	id:	CNNVD-201411-206	date:	2014-11-14T00:00:00
db:	NVD	id:	CVE-2014-5424	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	b9014a1c-2351-11e6-abef-000c29c66e3d	date:	2014-11-17T00:00:00
db:	ZDI	id:	ZDI-14-384	date:	2014-11-19T00:00:00
db:	ZDI	id:	ZDI-14-383	date:	2014-11-19T00:00:00
db:	CNVD	id:	CNVD-2014-08308	date:	2014-11-17T00:00:00
db:	VULHUB	id:	VHN-73365	date:	2014-11-14T00:00:00
db:	BID	id:	71052	date:	2014-11-11T00:00:00
db:	JVNDB	id:	JVNDB-2014-005454	date:	2014-11-17T00:00:00
db:	CNNVD	id:	CNNVD-201411-206	date:	2014-11-14T00:00:00
db:	NVD	id:	CVE-2014-5424	date:	2014-11-14T00:59:00.133