Sign-up

ID

VAR-201412-0557


CVE

CVE-2014-8511


TITLE

Schneider Electric ProClima of Atx45.ocx of ActiveX Control buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-007420

DESCRIPTION

Buffer overflow in an ActiveX control in Atx45.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8512. NOTE: this may be clarified later based on details provided by researchers. This vulnerability CVE-2014-8512 Is a different vulnerability. The details of this issue may become clear in the future based on information provided by researchers.A third party may execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the ATX45.ATX45Ctrl.1 ActiveX control in Atx45.ocx. The control does not check the length of an attacker-supplied string in the SetHtmlFileName method before copying it into a fixed length buffer on the heap. This allows an attacker to execute arbitrary code in the context of the browser process. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Failed exploit attempts will likely result in denial-of-service conditions. ProClima 6.0.1 and prior are vulnerable. Schneider Electric ProClima is a set of thermal calculation software from Schneider Electric, France

Trust: 3.33

sources: NVD: CVE-2014-8511 // JVNDB: JVNDB-2014-007420 // ZDI: ZDI-15-003 // CNVD: CNVD-2014-09023 // BID: 71712 // IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-76456

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09023

AFFECTED PRODUCTS

vendor:schneider electricmodel:proclimascope:lteversion:6.0.1

Trust: 1.0

vendor:schneider electricmodel:proclimascope:ltversion:6.1.7

Trust: 0.8

vendor:schneider electricmodel:proclimascope: - version: -

Trust: 0.7

vendor:schneidermodel:electric proclimascope:ltversion:6.0.1

Trust: 0.6

vendor:schneider electricmodel:proclimascope:eqversion:6.0.1

Trust: 0.6

vendor:proclimamodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-15-003 // CNVD: CNVD-2014-09023 // JVNDB: JVNDB-2014-007420 // CNNVD: CNNVD-201412-569 // NVD: CVE-2014-8511

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8511
value: HIGH

Trust: 1.0

NVD: CVE-2014-8511
value: HIGH

Trust: 0.8

ZDI: CVE-2014-8511
value: HIGH

Trust: 0.7

CNVD: CNVD-2014-09023
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201412-569
value: CRITICAL

Trust: 0.6

IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d
value: CRITICAL

Trust: 0.2

VULHUB: VHN-76456
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8511
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2014-8511
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2014-09023
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-76456
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-15-003 // CNVD: CNVD-2014-09023 // VULHUB: VHN-76456 // JVNDB: JVNDB-2014-007420 // CNNVD: CNNVD-201412-569 // NVD: CVE-2014-8511

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-76456 // JVNDB: JVNDB-2014-007420 // NVD: CVE-2014-8511

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-569

TYPE

Buffer overflow

Trust: 0.8

sources: IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201412-569

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-007420

PATCH
title:ProClima Software Vulnerability Disclosureurl:http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01
Trust: 0.8
title:Schneider Electric has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01
Trust: 0.7
title:Patch for Schneider Electric ProClima Remote Buffer Overflow Vulnerability (CNVD-2014-09023)url:https://www.cnvd.org.cn/patchInfo/show/52960
Trust: 0.6
sources:
            
            
            ZDI: ZDI-15-003 // 
            
            
            
            CNVD: CNVD-2014-09023 // 
            
            
            
            JVNDB: JVNDB-2014-007420

EXTERNAL IDS
db:NVDid:CVE-2014-8511
Trust: 4.3
db:ICS CERTid:ICSA-14-350-01
Trust: 2.5
db:BIDid:71712
Trust: 1.0
db:CNNVDid:CNNVD-201412-569
Trust: 0.9
db:CNVDid:CNVD-2014-09023
Trust: 0.8
db:JVNDBid:JVNDB-2014-007420
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2477
Trust: 0.7
db:ZDIid:ZDI-15-003
Trust: 0.7
db:IVDid:AE2D23FE-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-76456
Trust: 0.1
sources:
            
            
            IVD: ae2d23fe-2351-11e6-abef-000c29c66e3d // 
            
            
            
            ZDI: ZDI-15-003 // 
            
            
            
            CNVD: CNVD-2014-09023 // 
            
            
            
            VULHUB: VHN-76456 // 
            
            
            
            BID: 71712 // 
            
            
            
            JVNDB: JVNDB-2014-007420 // 
            
            
            
            CNNVD: CNNVD-201412-569 // 
            
            
            
            NVD: CVE-2014-8511

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-350-01
Trust: 3.2
url:http://download.schneider-electric.com/files?p_doc_ref=sevd%202014-344-01
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8511
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8511
Trust: 0.8
url:http://www.securityfocus.com/bid/71712
Trust: 0.6
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
sources:
            
            
            ZDI: ZDI-15-003 // 
            
            
            
            CNVD: CNVD-2014-09023 // 
            
            
            
            VULHUB: VHN-76456 // 
            
            
            
            BID: 71712 // 
            
            
            
            JVNDB: JVNDB-2014-007420 // 
            
            
            
            CNNVD: CNNVD-201412-569 // 
            
            
            
            NVD: CVE-2014-8511

CREDITS
Ariele Caltabiano (kimiya)
Trust: 0.7
sources:
            
            
            ZDI: ZDI-15-003

SOURCES
db:IVDid:ae2d23fe-2351-11e6-abef-000c29c66e3d
db:ZDIid:ZDI-15-003
db:CNVDid:CNVD-2014-09023
db:VULHUBid:VHN-76456
db:BIDid:71712
db:JVNDBid:JVNDB-2014-007420
db:CNNVDid:CNNVD-201412-569
db:NVDid:CVE-2014-8511

LAST UPDATE DATE
2025-04-12T23:09:13.893000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-15-003date:2015-01-07T00:00:00
db:CNVDid:CNVD-2014-09023date:2014-12-19T00:00:00
db:VULHUBid:VHN-76456date:2015-02-02T00:00:00
db:BIDid:71712date:2015-01-12T00:02:00
db:JVNDBid:JVNDB-2014-007420date:2015-01-06T00:00:00
db:CNNVDid:CNNVD-201412-569date:2015-01-05T00:00:00
db:NVDid:CVE-2014-8511date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:ae2d23fe-2351-11e6-abef-000c29c66e3ddate:2014-12-19T00:00:00
db:ZDIid:ZDI-15-003date:2015-01-07T00:00:00
db:CNVDid:CNVD-2014-09023date:2014-12-19T00:00:00
db:VULHUBid:VHN-76456date:2014-12-27T00:00:00
db:BIDid:71712date:2014-12-10T00:00:00
db:JVNDBid:JVNDB-2014-007420date:2015-01-06T00:00:00
db:CNNVDid:CNNVD-201412-569date:2014-12-27T00:00:00
db:NVDid:CVE-2014-8511date:2014-12-27T15:59:00.057