Details of VAR-201501-0398

ID

VAR-201501-0398

CVE

CVE-2014-9190

TITLE

Schneider Electric Wonderware InTouch Access Anywhere Server Buffer Overflow Vulnerability

Trust: 0.8

sources: IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00342

DESCRIPTION

Stack-based buffer overflow in Schneider Electric Wonderware InTouch Access Anywhere Server 10.6 and 11.0 allows remote attackers to execute arbitrary code via a request for a filename that does not exist. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Attackers can exploit this issue to execute arbitrary code in the context of the affected system. Failed exploit attempts will likely result in denial-of-service conditions. Wonderware InTouch Access Anywhere Server 10.6 and 11.0 are vulnerable; other versions may also be affected. Schneider Electric Wonderware InTouch is an open, scalable HMI and SCADA monitoring solution from Schneider Electric, France, that creates standardized, reusable visualization applications

Trust: 2.7

sources: NVD: CVE-2014-9190 // JVNDB: JVNDB-2014-007575 // CNVD: CNVD-2015-00342 // BID: 71951 // IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-77135

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00342

AFFECTED PRODUCTS

vendor:	schneider electric	model:	wonderware intouch access anywhere server	scope:	eq	version:	10.6	Trust: 2.4
vendor:	schneider electric	model:	wonderware intouch access anywhere server	scope:	eq	version:	11.0	Trust: 2.4
vendor:	schneider	model:	electric wonderware intouch access anywhere server	scope:	eq	version:	10.6	Trust: 0.6
vendor:	schneider	model:	electric wonderware intouch access anywhere server	scope:	eq	version:	11.0	Trust: 0.6
vendor:	wonderware intouch access anywhere server	model:	-	scope:	eq	version:	10.6	Trust: 0.2
vendor:	wonderware intouch access anywhere server	model:	-	scope:	eq	version:	11.0	Trust: 0.2

sources: IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00342 // JVNDB: JVNDB-2014-007575 // CNNVD: CNNVD-201501-201 // NVD: CVE-2014-9190

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov:	CVE-2014-9190
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2014-9190
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-9190
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-00342
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201501-201
value:	CRITICAL
Trust: 0.6
IVD:	aad6dba0-2351-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-77135
value:	HIGH
Trust: 0.1

ics-cert@hq.dhs.gov:	CVE-2014-9190
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.8
CNVD:	CNVD-2015-00342
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	aad6dba0-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-77135
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00342 // VULHUB: VHN-77135 // JVNDB: JVNDB-2014-007575 // CNNVD: CNNVD-201501-201 // NVD: CVE-2014-9190 // NVD: CVE-2014-9190

PROBLEMTYPE DATA

problemtype:	CWE-119	Trust: 1.9
problemtype:	CWE-121	Trust: 1.0

sources: VULHUB: VHN-77135 // JVNDB: JVNDB-2014-007575 // NVD: CVE-2014-9190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201501-201

TYPE

Buffer overflow

Trust: 0.8

sources: IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201501-201

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-007575

PATCH

title:	Web HMI and Mobile SCADA: Wonderware InTouch Access Anywhere	url:	http://software.invensys.com/products/wonderware/hmi-and-supervisory-control/intouch-access-anywhere/	Trust: 0.8
title:	Schneider Electric Wonderware InTouch Access Anywhere Server Buffer Overflow Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/53978	Trust: 0.6

sources: CNVD: CNVD-2015-00342 // JVNDB: JVNDB-2014-007575

EXTERNAL IDS

db:	NVD	id:	CVE-2014-9190	Trust: 3.6
db:	ICS CERT	id:	ICSA-15-008-02	Trust: 3.1
db:	BID	id:	71951	Trust: 1.0
db:	CNNVD	id:	CNNVD-201501-201	Trust: 0.9
db:	CNVD	id:	CNVD-2015-00342	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-007575	Trust: 0.8
db:	IVD	id:	AAD6DBA0-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-77135	Trust: 0.1

sources: IVD: aad6dba0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00342 // VULHUB: VHN-77135 // BID: 71951 // JVNDB: JVNDB-2014-007575 // CNNVD: CNNVD-201501-201 // NVD: CVE-2014-9190

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-008-02	Trust: 3.1
url:	https://wdnresource.wonderware.com/support/docs/_securitybulletins/security_bulletin_lfsec00000104.pdf	Trust: 1.7
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9190	Trust: 1.4
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-15-008-02	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9190	Trust: 0.8
url:	http://www.securityfocus.com/bid/71951/	Trust: 0.6
url:	http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true	Trust: 0.3

sources: CNVD: CNVD-2015-00342 // VULHUB: VHN-77135 // BID: 71951 // JVNDB: JVNDB-2014-007575 // CNNVD: CNNVD-201501-201 // NVD: CVE-2014-9190

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 71951

SOURCES

db:	IVD	id:	aad6dba0-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-00342
db:	VULHUB	id:	VHN-77135
db:	BID	id:	71951
db:	JVNDB	id:	JVNDB-2014-007575
db:	CNNVD	id:	CNNVD-201501-201
db:	NVD	id:	CVE-2014-9190

LAST UPDATE DATE

2025-07-26T23:17:49.365000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-00342	date:	2015-01-15T00:00:00
db:	VULHUB	id:	VHN-77135	date:	2015-01-12T00:00:00
db:	BID	id:	71951	date:	2015-03-19T08:13:00
db:	JVNDB	id:	JVNDB-2014-007575	date:	2015-01-14T00:00:00
db:	CNNVD	id:	CNNVD-201501-201	date:	2015-01-21T00:00:00
db:	NVD	id:	CVE-2014-9190	date:	2025-07-24T23:15:25.860

SOURCES RELEASE DATE

db:	IVD	id:	aad6dba0-2351-11e6-abef-000c29c66e3d	date:	2015-01-15T00:00:00
db:	CNVD	id:	CNVD-2015-00342	date:	2015-01-15T00:00:00
db:	VULHUB	id:	VHN-77135	date:	2015-01-10T00:00:00
db:	BID	id:	71951	date:	2015-01-08T00:00:00
db:	JVNDB	id:	JVNDB-2014-007575	date:	2015-01-14T00:00:00
db:	CNNVD	id:	CNNVD-201501-201	date:	2015-01-12T00:00:00
db:	NVD	id:	CVE-2014-9190	date:	2015-01-10T02:59:33.693