Sign-up

ID

VAR-201412-0560


CVE

CVE-2014-8514


TITLE

Schneider Electric ProClima of MDraw30.ocx of ActiveX Control buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-007423

DESCRIPTION

Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-9188. NOTE: this may be clarified later based on details provided by researchers. This vulnerability CVE-2014-8513 and CVE-2014-9188 Is a different vulnerability. The details of this issue may become clear in the future based on information provided by researchers.A third party may execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the MetaDraw ActiveX control's ObjLinks property. This property can be assigned an attacker-supplied memory address and the control will redirect execution flow to this given memory address. An attacker can exploit this condition to achieve code execution under the context of the browser process. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Failed exploit attempts will likely result in denial-of-service conditions. ProClima 6.0.1 and prior are vulnerable. Schneider Electric ProClima is a set of thermal calculation software from Schneider Electric, France

Trust: 3.33

sources: NVD: CVE-2014-8514 // JVNDB: JVNDB-2014-007423 // ZDI: ZDI-15-002 // CNVD: CNVD-2014-09025 // BID: 71710 // IVD: ae33c182-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-76459

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: ae33c182-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-09025

AFFECTED PRODUCTS

vendor:schneider electricmodel:proclimascope:lteversion:6.0.1

Trust: 1.0

vendor:schneider electricmodel:proclimascope:ltversion:6.1.7

Trust: 0.8

vendor:schneider electricmodel:proclimascope: - version: -

Trust: 0.7

vendor:schneidermodel:electric proclimascope:ltversion:6.0.1

Trust: 0.6

vendor:schneider electricmodel:proclimascope:eqversion:6.0.1

Trust: 0.6

vendor:proclimamodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: ae33c182-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-15-002 // CNVD: CNVD-2014-09025 // JVNDB: JVNDB-2014-007423 // CNNVD: CNNVD-201412-572 // NVD: CVE-2014-8514

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8514
value: HIGH

Trust: 1.0

NVD: CVE-2014-8514
value: HIGH

Trust: 0.8

ZDI: CVE-2014-8514
value: HIGH

Trust: 0.7

CNVD: CNVD-2014-09025
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201412-572
value: HIGH

Trust: 0.6

IVD: ae33c182-2351-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULHUB: VHN-76459
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8514
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

CNVD: CNVD-2014-09025
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: ae33c182-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-76459
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: ae33c182-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-15-002 // CNVD: CNVD-2014-09025 // VULHUB: VHN-76459 // JVNDB: JVNDB-2014-007423 // CNNVD: CNNVD-201412-572 // NVD: CVE-2014-8514

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-76459 // JVNDB: JVNDB-2014-007423 // NVD: CVE-2014-8514

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-572

TYPE

Buffer overflow

Trust: 0.8

sources: IVD: ae33c182-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201412-572

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-007423

PATCH
title:ProClima Software Vulnerability Disclosureurl:http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01
Trust: 0.8
title:Schneider Electric has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01
Trust: 0.7
title:Patch for Schneider Electric ProClima Remote Buffer Overflow Vulnerability (CNVD-2014-09025)url:https://www.cnvd.org.cn/patchInfo/show/52958
Trust: 0.6
title:ProClima_v6.1.8_setupurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53033
Trust: 0.6
sources:
            
            
            ZDI: ZDI-15-002 // 
            
            
            
            CNVD: CNVD-2014-09025 // 
            
            
            
            JVNDB: JVNDB-2014-007423 // 
            
            
            
            CNNVD: CNNVD-201412-572

EXTERNAL IDS
db:NVDid:CVE-2014-8514
Trust: 4.3
db:ICS CERTid:ICSA-14-350-01
Trust: 2.8
db:BIDid:71710
Trust: 2.0
db:ZDIid:ZDI-15-002
Trust: 1.0
db:CNNVDid:CNNVD-201412-572
Trust: 0.9
db:CNVDid:CNVD-2014-09025
Trust: 0.8
db:JVNDBid:JVNDB-2014-007423
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2483
Trust: 0.7
db:IVDid:AE33C182-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-76459
Trust: 0.1
sources:
            
            
            IVD: ae33c182-2351-11e6-abef-000c29c66e3d // 
            
            
            
            ZDI: ZDI-15-002 // 
            
            
            
            CNVD: CNVD-2014-09025 // 
            
            
            
            VULHUB: VHN-76459 // 
            
            
            
            BID: 71710 // 
            
            
            
            JVNDB: JVNDB-2014-007423 // 
            
            
            
            CNNVD: CNNVD-201412-572 // 
            
            
            
            NVD: CVE-2014-8514

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-350-01
Trust: 3.5
url:http://www.securityfocus.com/bid/71710
Trust: 1.7
url:http://download.schneider-electric.com/files?p_doc_ref=sevd%202014-344-01
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8514
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8514
Trust: 0.8
url:http://www.schneider-electric.com/products/ww/en/5100-software/5110-electrical-design-software/2560-proclima/
Trust: 0.3
url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true
Trust: 0.3
url:http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-15-002/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-15-002 // 
            
            
            
            CNVD: CNVD-2014-09025 // 
            
            
            
            VULHUB: VHN-76459 // 
            
            
            
            BID: 71710 // 
            
            
            
            JVNDB: JVNDB-2014-007423 // 
            
            
            
            CNNVD: CNNVD-201412-572 // 
            
            
            
            NVD: CVE-2014-8514

CREDITS
Ariele Caltabiano (kimiya)
Trust: 0.7
sources:
            
            
            ZDI: ZDI-15-002

SOURCES
db:IVDid:ae33c182-2351-11e6-abef-000c29c66e3d
db:ZDIid:ZDI-15-002
db:CNVDid:CNVD-2014-09025
db:VULHUBid:VHN-76459
db:BIDid:71710
db:JVNDBid:JVNDB-2014-007423
db:CNNVDid:CNNVD-201412-572
db:NVDid:CVE-2014-8514

LAST UPDATE DATE
2025-04-13T23:18:13.156000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-15-002date:2015-01-07T00:00:00
db:CNVDid:CNVD-2014-09025date:2014-12-19T00:00:00
db:VULHUBid:VHN-76459date:2016-12-31T00:00:00
db:BIDid:71710date:2015-07-15T00:14:00
db:JVNDBid:JVNDB-2014-007423date:2015-01-06T00:00:00
db:CNNVDid:CNNVD-201412-572date:2015-01-04T00:00:00
db:NVDid:CVE-2014-8514date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:ae33c182-2351-11e6-abef-000c29c66e3ddate:2014-12-19T00:00:00
db:ZDIid:ZDI-15-002date:2015-01-07T00:00:00
db:CNVDid:CNVD-2014-09025date:2014-12-19T00:00:00
db:VULHUBid:VHN-76459date:2014-12-27T00:00:00
db:BIDid:71710date:2014-12-10T00:00:00
db:JVNDBid:JVNDB-2014-007423date:2015-01-06T00:00:00
db:CNNVDid:CNNVD-201412-572date:2014-12-27T00:00:00
db:NVDid:CVE-2014-8514date:2014-12-27T15:59:03.823