Details of VAR-201507-0328

ID

VAR-201507-0328

CVE

CVE-2015-4647

TITLE

Panasonic Security API SDK Stack Buffer Overflow Vulnerability

Trust: 0.8

sources: IVD: 859ac086-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04199

DESCRIPTION

Multiple stack-based buffer overflows in Ipropsapi in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allow remote attackers to execute arbitrary code via a long string in the (1) FilePassword property or to the (2) GetStringInfo method. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the GetStringInfo method. By passing a large string to the method, an attacker can cause a fixed-length stack buffer to overflow. An attacker could leverage this vulnerability to execute code under the context of the current process. The Panasonic Security API SDK is an API interface development kit (SDK) for a webcam from Matsushita Electric Industrial Co., Ltd., Japan. Failed exploit attempts will likely result in denial-of-service conditions

Trust: 3.87

sources: NVD: CVE-2015-4647 // JVNDB: JVNDB-2015-003462 // ZDI: ZDI-15-260 // ZDI: ZDI-15-259 // CNVD: CNVD-2015-04199 // BID: 75409 // IVD: 859ac086-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 859ac086-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04199

AFFECTED PRODUCTS

vendor:	panasonic	model:	security api	scope:	-	version:	-	Trust: 1.4
vendor:	panasonic	model:	security api activex sdk	scope:	lte	version:	8.10.14	Trust: 1.0
vendor:	panasonic	model:	security api activex sdk	scope:	lt	version:	8.10.18	Trust: 0.8
vendor:	panasonic	model:	security api sdk	scope:	-	version:	-	Trust: 0.6
vendor:	panasonic	model:	security api activex sdk	scope:	eq	version:	8.10.14	Trust: 0.6
vendor:	panasonic	model:	security api	scope:	eq	version:	0	Trust: 0.3
vendor:	security api activex sdk	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 859ac086-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-15-260 // ZDI: ZDI-15-259 // CNVD: CNVD-2015-04199 // BID: 75409 // JVNDB: JVNDB-2015-003462 // CNNVD: CNNVD-201506-636 // NVD: CVE-2015-4647

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2015-4647
value:	HIGH
Trust: 1.4
nvd@nist.gov:	CVE-2015-4647
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-4647
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-04199
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201506-636
value:	MEDIUM
Trust: 0.6
IVD:	859ac086-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2015-4647
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2015-4647
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.4
CNVD:	CNVD-2015-04199
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	859ac086-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 859ac086-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-15-260 // ZDI: ZDI-15-259 // CNVD: CNVD-2015-04199 // JVNDB: JVNDB-2015-003462 // CNNVD: CNNVD-201506-636 // NVD: CVE-2015-4647

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2015-003462 // NVD: CVE-2015-4647

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201506-636

TYPE

Buffer overflow

Trust: 0.8

sources: IVD: 859ac086-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201506-636

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-003462

PATCH

title:	Panasonic has issued an update to correct this vulnerability.#SDK	url:	http://security.panasonic.com/pss/security/library/developer.html	Trust: 1.4
title:	SDK(PS-API)	url:	http://security.panasonic.com/pss/security/library/developer.html#SDK	Trust: 0.8
title:	Patch for Panasonic Security API SDK Stack Buffer Overflow Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/60296	Trust: 0.6

sources: ZDI: ZDI-15-260 // ZDI: ZDI-15-259 // CNVD: CNVD-2015-04199 // JVNDB: JVNDB-2015-003462

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4647	Trust: 4.9
db:	ZDI	id:	ZDI-15-260	Trust: 4.0
db:	ZDI	id:	ZDI-15-259	Trust: 3.4
db:	BID	id:	75409	Trust: 1.9
db:	CNVD	id:	CNVD-2015-04199	Trust: 0.8
db:	CNNVD	id:	CNNVD-201506-636	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-003462	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2752	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2753	Trust: 0.7
db:	IVD	id:	859AC086-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2

REFERENCES

url:	http://www.zerodayinitiative.com/advisories/zdi-15-260/	Trust: 2.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-259/	Trust: 2.7
url:	http://security.panasonic.com/pss/security/library/developer.html#sdk	Trust: 1.9
url:	http://security.panasonic.com/pss/security/library/developer.html	Trust: 1.4
url:	http://www.securityfocus.com/bid/75409	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4647	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4647	Trust: 0.8
url:	http://www.zerodayinitiative.com/advisories/zdi-15-260	Trust: 0.6
url:	http://panasonic.com/	Trust: 0.3

sources: ZDI: ZDI-15-260 // ZDI: ZDI-15-259 // CNVD: CNVD-2015-04199 // BID: 75409 // JVNDB: JVNDB-2015-003462 // CNNVD: CNNVD-201506-636 // NVD: CVE-2015-4647

CREDITS

Ariele Caltabiano (kimiya)

Trust: 2.3

sources: ZDI: ZDI-15-260 // ZDI: ZDI-15-259 // BID: 75409 // CNNVD: CNNVD-201506-636

SOURCES

db:	IVD	id:	859ac086-2351-11e6-abef-000c29c66e3d
db:	ZDI	id:	ZDI-15-260
db:	ZDI	id:	ZDI-15-259
db:	CNVD	id:	CNVD-2015-04199
db:	BID	id:	75409
db:	JVNDB	id:	JVNDB-2015-003462
db:	CNNVD	id:	CNNVD-201506-636
db:	NVD	id:	CVE-2015-4647

LAST UPDATE DATE

2025-04-13T23:18:05.332000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-260	date:	2015-06-24T00:00:00
db:	ZDI	id:	ZDI-15-259	date:	2015-06-24T00:00:00
db:	CNVD	id:	CNVD-2015-04199	date:	2015-07-03T00:00:00
db:	BID	id:	75409	date:	2015-06-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-003462	date:	2015-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201506-636	date:	2015-07-30T00:00:00
db:	NVD	id:	CVE-2015-4647	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	859ac086-2351-11e6-abef-000c29c66e3d	date:	2015-07-03T00:00:00
db:	ZDI	id:	ZDI-15-260	date:	2015-06-24T00:00:00
db:	ZDI	id:	ZDI-15-259	date:	2015-06-24T00:00:00
db:	CNVD	id:	CNVD-2015-04199	date:	2015-07-03T00:00:00
db:	BID	id:	75409	date:	2015-06-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-003462	date:	2015-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201506-636	date:	2015-07-01T00:00:00
db:	NVD	id:	CVE-2015-4647	date:	2015-07-06T14:59:04.313