Details of VAR-201709-0615

ID

VAR-201709-0615

CVE

CVE-2017-5147

TITLE

AzeoTech DAQFactory Uncontrolled search path element vulnerability

Trust: 0.8

sources: IVD: 93aca8ed-db66-4e65-9918-6da112ded248 // CNVD: CNVD-2017-23888

DESCRIPTION

An Uncontrolled Search Path Element issue was discovered in AzeoTech DAQFactory versions prior to 17.1. An uncontrolled search path element vulnerability has been identified, which may execute malicious DLL files that have been placed within the search path. AzeoTech DAQFactory Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AzeoTech DAQFactory is an HMI/SCADA software. AzeoTech DAQFactory is prone to multiple security vulnerabilities. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications or bypass certain security restrictions and perform unauthorized actions. Versions prior to DAQFactory 17.1 are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-5147 // JVNDB: JVNDB-2017-007912 // CNVD: CNVD-2017-23888 // BID: 100522 // IVD: 93aca8ed-db66-4e65-9918-6da112ded248

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 93aca8ed-db66-4e65-9918-6da112ded248 // CNVD: CNVD-2017-23888

AFFECTED PRODUCTS

vendor:	azeotech	model:	daqfactory	scope:	lt	version:	17.1	Trust: 1.4
vendor:	azeotech	model:	daqfactory	scope:	lte	version:	16.3	Trust: 1.0
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	16.3	Trust: 0.9
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	5.91	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	5.90	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	5.86	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	5.85	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	5.84	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	5.83	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	16.2	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	16.1	Trust: 0.3
vendor:	azeotech	model:	daqfactory	scope:	ne	version:	17.1	Trust: 0.3
vendor:	daqfactory	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 93aca8ed-db66-4e65-9918-6da112ded248 // CNVD: CNVD-2017-23888 // BID: 100522 // JVNDB: JVNDB-2017-007912 // CNNVD: CNNVD-201709-088 // NVD: CVE-2017-5147

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-5147
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-5147
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-23888
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201709-088
value:	MEDIUM
Trust: 0.6
IVD:	93aca8ed-db66-4e65-9918-6da112ded248
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-5147
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-23888
severity:	LOW
baseScore:	3.7
vectorString:	AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	1.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	93aca8ed-db66-4e65-9918-6da112ded248
severity:	LOW
baseScore:	3.7
vectorString:	AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	1.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-5147
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.8
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: IVD: 93aca8ed-db66-4e65-9918-6da112ded248 // CNVD: CNVD-2017-23888 // JVNDB: JVNDB-2017-007912 // CNNVD: CNNVD-201709-088 // NVD: CVE-2017-5147

PROBLEMTYPE DATA

problemtype:

CWE-427

Trust: 1.8

sources: JVNDB: JVNDB-2017-007912 // NVD: CVE-2017-5147

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201709-088

TYPE

Code problem

Trust: 0.8

sources: IVD: 93aca8ed-db66-4e65-9918-6da112ded248 // CNNVD: CNNVD-201709-088

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007912

PATCH

title:	Top Page	url:	http://www.azeotech.com/daqfactory.php	Trust: 0.8
title:	AzeoTech DAQFactory Uncontrolled Search Path Element Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/101183	Trust: 0.6
title:	AzeoTech DAQFactory Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74543	Trust: 0.6

sources: CNVD: CNVD-2017-23888 // JVNDB: JVNDB-2017-007912 // CNNVD: CNNVD-201709-088

EXTERNAL IDS

db:	NVD	id:	CVE-2017-5147	Trust: 3.5
db:	ICS CERT	id:	ICSA-17-241-01	Trust: 3.3
db:	BID	id:	100522	Trust: 1.9
db:	CNVD	id:	CNVD-2017-23888	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-088	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-007912	Trust: 0.8
db:	IVD	id:	93ACA8ED-DB66-4E65-9918-6DA112DED248	Trust: 0.2

sources: IVD: 93aca8ed-db66-4e65-9918-6da112ded248 // CNVD: CNVD-2017-23888 // BID: 100522 // JVNDB: JVNDB-2017-007912 // CNNVD: CNNVD-201709-088 // NVD: CVE-2017-5147

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-241-01	Trust: 3.3
url:	http://www.securityfocus.com/bid/100522	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5147	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-5147	Trust: 0.8
url:	http://www.azeotech.com/index.php	Trust: 0.3
url:	https://www.azeotech.com/j/revision-history.html	Trust: 0.3

sources: CNVD: CNVD-2017-23888 // BID: 100522 // JVNDB: JVNDB-2017-007912 // CNNVD: CNNVD-201709-088 // NVD: CVE-2017-5147

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 100522

SOURCES

db:	IVD	id:	93aca8ed-db66-4e65-9918-6da112ded248
db:	CNVD	id:	CNVD-2017-23888
db:	BID	id:	100522
db:	JVNDB	id:	JVNDB-2017-007912
db:	CNNVD	id:	CNNVD-201709-088
db:	NVD	id:	CVE-2017-5147

LAST UPDATE DATE

2025-04-20T23:25:57.095000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-23888	date:	2017-08-30T00:00:00
db:	BID	id:	100522	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-007912	date:	2017-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201709-088	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-5147	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	93aca8ed-db66-4e65-9918-6da112ded248	date:	2017-08-30T00:00:00
db:	CNVD	id:	CNVD-2017-23888	date:	2017-08-30T00:00:00
db:	BID	id:	100522	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-007912	date:	2017-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201709-088	date:	2017-08-29T00:00:00
db:	NVD	id:	CVE-2017-5147	date:	2017-09-09T01:29:02.847