Sign-up

ID

VAR-201604-0063


CVE

CVE-2016-2290


TITLE

Pro-face GP-Pro EX Heap Buffer Overflow Vulnerability

Trust: 0.8

sources: IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02013

DESCRIPTION

Heap-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allows remote attackers to execute arbitrary code via unspecified vectors. Pro-face GP-Pro EX is a set of HMI screen editing and logic programming software from Pro-face, USA. Digital Electronics Proface GP-Pro EX is a programmable human-machine interface product from Digital Electronics of Japan. A security vulnerability exists in Digital Electronics Proface GP-Pro EX. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application or leak sensitive information. Other attacks are also possible. GP-Pro EX 1.00 through 4.0.4 are vulnerable

Trust: 3.15

sources: NVD: CVE-2016-2290 // JVNDB: JVNDB-2016-001945 // CNVD: CNVD-2016-02013 // CNNVD: CNNVD-201601-279 // BID: 80168 // IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02013

AFFECTED PRODUCTS

vendor:schneider electricmodel:proface gp-pro ex pfxexgrplsscope:lteversion:4.0.4

Trust: 1.0

vendor:schneider electricmodel:proface gp-pro ex ex-edscope:lteversion:4.0.4

Trust: 1.0

vendor:schneider electricmodel:proface gp-pro ex pfxexedlsscope:lteversion:4.0.4

Trust: 1.0

vendor:schneider electricmodel:proface gp-pro ex pfxexedvscope:lteversion:4.0.4

Trust: 1.0

vendor:digitalmodel:gp-pro ex ex-edscope:ltversion:4.05.000

Trust: 0.8

vendor:digitalmodel:gp-pro ex pfxexedlsscope:ltversion:4.05.000

Trust: 0.8

vendor:digitalmodel:gp-pro ex pfxexedvscope:ltversion:4.05.000

Trust: 0.8

vendor:digitalmodel:gp-pro ex pfxexgrplsscope:ltversion:4.05.000

Trust: 0.8

vendor:pro facemodel:gp-pro exscope: - version: -

Trust: 0.6

vendor:pro facemodel:gp-pro ex pfxexgrplsscope:eqversion:4.0.4

Trust: 0.6

vendor:pro facemodel:gp-pro ex ex-edscope:eqversion:4.0.4

Trust: 0.6

vendor:pro facemodel:gp-pro ex pfxexedvscope:eqversion:4.0.4

Trust: 0.6

vendor:pro facemodel:gp-pro ex pfxexedlsscope:eqversion:4.0.4

Trust: 0.6

vendor:gp pro ex ex edmodel: - scope:eqversion:*

Trust: 0.2

vendor:gp pro ex pfxexedlsmodel: - scope:eqversion:*

Trust: 0.2

vendor:gp pro ex pfxexedvmodel: - scope:eqversion:*

Trust: 0.2

vendor:gp pro ex pfxexgrplsmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02013 // JVNDB: JVNDB-2016-001945 // CNNVD: CNNVD-201604-028 // NVD: CVE-2016-2290

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-2290
value: HIGH

Trust: 1.0

NVD: CVE-2016-2290
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-02013
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201604-028
value: HIGH

Trust: 0.6

IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-2290
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-02013
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-2290
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2016-2290
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02013 // JVNDB: JVNDB-2016-001945 // CNNVD: CNNVD-201604-028 // NVD: CVE-2016-2290

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-119

Trust: 0.8

sources: JVNDB: JVNDB-2016-001945 // NVD: CVE-2016-2290

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201601-279 // CNNVD: CNNVD-201604-028

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201601-279

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001945

PATCH
title:GP-Pro EXurl:http://jpn.proface.co.jp/product/soft/gpproex/index.html
Trust: 0.8
title:Pro-face GP-Pro EX heap buffer overflow vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/73689
Trust: 0.6
title:Pro-face GP-Pro EX Fixes for heap-based buffer overflow vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60763
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-02013 // 
            
            
            
            JVNDB: JVNDB-2016-001945 // 
            
            
            
            CNNVD: CNNVD-201604-028

EXTERNAL IDS
db:NVDid:CVE-2016-2290
Trust: 3.5
db:ICS CERTid:ICSA-16-096-01
Trust: 3.0
db:BIDid:80168
Trust: 0.9
db:CNVDid:CNVD-2016-02013
Trust: 0.8
db:CNNVDid:CNNVD-201604-028
Trust: 0.8
db:JVNDBid:JVNDB-2016-001945
Trust: 0.8
db:CNNVDid:CNNVD-201601-279
Trust: 0.6
db:IVDid:5A7631EC-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 5a7631ec-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2016-02013 // 
            
            
            
            BID: 80168 // 
            
            
            
            JVNDB: JVNDB-2016-001945 // 
            
            
            
            CNNVD: CNNVD-201601-279 // 
            
            
            
            CNNVD: CNNVD-201604-028 // 
            
            
            
            NVD: CVE-2016-2290

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-096-01
Trust: 3.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2290
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2290
Trust: 0.8
url:http://www.securityfocus.com/bid/80168
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-02013 // 
            
            
            
            JVNDB: JVNDB-2016-001945 // 
            
            
            
            CNNVD: CNNVD-201601-279 // 
            
            
            
            CNNVD: CNNVD-201604-028 // 
            
            
            
            NVD: CVE-2016-2290

CREDITS
Steven Seeley of Source Incite and Brian Gorenc of HP Zero Day Initiative.
Trust: 0.9
sources:
            
            
            BID: 80168 // 
            
            
            
            CNNVD: CNNVD-201601-279

SOURCES
db:IVDid:5a7631ec-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2016-02013
db:BIDid:80168
db:JVNDBid:JVNDB-2016-001945
db:CNNVDid:CNNVD-201601-279
db:CNNVDid:CNNVD-201604-028
db:NVDid:CVE-2016-2290

LAST UPDATE DATE
2025-04-13T23:25:10.341000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-02013date:2016-04-07T00:00:00
db:BIDid:80168date:2016-07-06T14:21:00
db:JVNDBid:JVNDB-2016-001945date:2016-04-08T00:00:00
db:CNNVDid:CNNVD-201601-279date:2016-01-15T00:00:00
db:CNNVDid:CNNVD-201604-028date:2021-09-10T00:00:00
db:NVDid:CVE-2016-2290date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:5a7631ec-2351-11e6-abef-000c29c66e3ddate:2016-04-07T00:00:00
db:CNVDid:CNVD-2016-02013date:2016-04-07T00:00:00
db:BIDid:80168date:2016-01-08T00:00:00
db:JVNDBid:JVNDB-2016-001945date:2016-04-08T00:00:00
db:CNNVDid:CNNVD-201601-279date:2016-01-15T00:00:00
db:CNNVDid:CNNVD-201604-028date:2016-04-06T00:00:00
db:NVDid:CVE-2016-2290date:2016-04-06T23:59:16.803