Sign-up

ID

VAR-201710-0804


CVE

CVE-2017-14017


TITLE

Progea Movicon SCADA/HMI Arbitrary code execution vulnerability

Trust: 0.8

sources: IVD: f722565a-b363-40d4-9b2c-f2853d768656 // CNVD: CNVD-2017-30495

DESCRIPTION

An Uncontrolled Search Path Element issue was discovered in Progea Movicon Version 11.5.1181 and prior. An uncontrolled search path element vulnerability has been identified, which may allow a remote attacker without privileges to execute arbitrary code in the form of a malicious DLL file. Progea Movicon Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Movicon is an industrial monitoring software developed by the Italian automation software provider PROGEA (Scada/HMI). Progea Movicon is prone to a multiple privilege-escalation vulnerabilities. Movicon versions 11.5.1181 and prior are affected. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems Countries/Areas Deployed: Europe, India, and United States Company Headquarters Location: Italy ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities could allow privilege escalation or arbitrary code execution. The specific flaw exists within the handling of a specific named DLL file used by Movicon SCADA/HMI. By placing specific DLL file (listed below), an attacker is able to force the process to load an arbitrary DLL. ------------------------ DLL File Name (1) ------------------------ api-ms-win-appmodel-runtime-l1-1-0.dll ------------------------ Application Executables (that look for missing DLL) ------------------------ Movicon.exe MoviconRunTime.exe MoviconService.exe AlarmsImpExp.exe ReportViewerNET.exe ------------------------ Steps to reproduce ------------------------ 1. Generate a dll payload msfvenom ap windows/exec cmd=calc.exe af dll ao api-ms-win-appmodel-runtime-l1-1-0.dll 2. Place this dll in install directory (or C:\Windows, or any directory defined in the PATH environment variable) C:\Program Files\Progea\Movicon11.5\ 3. Run MoviconService.exe (or any of the above listed executables), and Exit ------------------------ CVE-2017-14017 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. aC/ MOVICON (MOVICON) runs as LocalSystem and has path: C:\Program Files\Progea\Movicon11.5\MoviconService.exe: CVE-2017-14019 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). +++++ Best Regards, Karn Ganeshen

Trust: 2.7

sources: NVD: CVE-2017-14017 // JVNDB: JVNDB-2017-009507 // CNVD: CNVD-2017-30495 // BID: 101483 // IVD: f722565a-b363-40d4-9b2c-f2853d768656 // PACKETSTORM: 144818

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: f722565a-b363-40d4-9b2c-f2853d768656 // CNVD: CNVD-2017-30495

AFFECTED PRODUCTS

vendor:progeamodel:moviconscope:lteversion:11.5.1181

Trust: 1.0

vendor:progeamodel:moviconscope:eqversion:11.5.1181

Trust: 0.9

vendor:progea srlmodel:moviconscope:lteversion:11.5.1181

Trust: 0.8

vendor:progeamodel:moviconscope:lteversion:<=11.5.1181

Trust: 0.6

vendor:progeamodel:moviconscope:eqversion:11.4.1150

Trust: 0.3

vendor:progeamodel:movicon buildscope:eqversion:11.41150

Trust: 0.3

vendor:progeamodel:moviconscope:eqversion:11.4

Trust: 0.3

vendor:progeamodel:moviconscope:eqversion:11.3

Trust: 0.3

vendor:progeamodel:moviconscope:eqversion:11.2.1085.4

Trust: 0.3

vendor:progeamodel:moviconscope:eqversion:11.2.1085.3

Trust: 0.3

vendor:progeamodel:movicon buildscope:eqversion:11.21085

Trust: 0.3

vendor:progeamodel:movicon buildscope:eqversion:11.21084

Trust: 0.3

vendor:progeamodel:moviconscope:eqversion:11.2

Trust: 0.3

vendor:moviconmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: f722565a-b363-40d4-9b2c-f2853d768656 // CNVD: CNVD-2017-30495 // BID: 101483 // JVNDB: JVNDB-2017-009507 // CNNVD: CNNVD-201708-1258 // NVD: CVE-2017-14017

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14017
value: HIGH

Trust: 1.0

NVD: CVE-2017-14017
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-30495
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201708-1258
value: HIGH

Trust: 0.6

IVD: f722565a-b363-40d4-9b2c-f2853d768656
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-14017
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-30495
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: f722565a-b363-40d4-9b2c-f2853d768656
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-14017
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: f722565a-b363-40d4-9b2c-f2853d768656 // CNVD: CNVD-2017-30495 // JVNDB: JVNDB-2017-009507 // CNNVD: CNNVD-201708-1258 // NVD: CVE-2017-14017

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.8

sources: JVNDB: JVNDB-2017-009507 // NVD: CVE-2017-14017

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201708-1258

TYPE

Code problem

Trust: 0.8

sources: IVD: f722565a-b363-40d4-9b2c-f2853d768656 // CNNVD: CNNVD-201708-1258

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009507

PATCH
title:Top Pageurl:https://www.progea.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-009507

EXTERNAL IDS
db:NVDid:CVE-2017-14017
Trust: 3.6
db:ICS CERTid:ICSA-17-290-01
Trust: 3.4
db:BIDid:101483
Trust: 1.9
db:CNVDid:CNVD-2017-30495
Trust: 0.8
db:CNNVDid:CNNVD-201708-1258
Trust: 0.8
db:JVNDBid:JVNDB-2017-009507
Trust: 0.8
db:IVDid:F722565A-B363-40D4-9B2C-F2853D768656
Trust: 0.2
db:PACKETSTORMid:144818
Trust: 0.1
sources:
            
            
            IVD: f722565a-b363-40d4-9b2c-f2853d768656 // 
            
            
            
            CNVD: CNVD-2017-30495 // 
            
            
            
            BID: 101483 // 
            
            
            
            JVNDB: JVNDB-2017-009507 // 
            
            
            
            PACKETSTORM: 144818 // 
            
            
            
            CNNVD: CNNVD-201708-1258 // 
            
            
            
            NVD: CVE-2017-14017

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-290-01
Trust: 3.4
url:http://www.securityfocus.com/bid/101483
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2017-14017
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14017
Trust: 0.8
url:http://www.progea.com/it-it/downloads/software.aspx
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-14019
Trust: 0.1
url:https://ipositivesecurity.com/2017/10/28/ics-progea-movicon-scadahmi-vulnerabilities/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-30495 // 
            
            
            
            BID: 101483 // 
            
            
            
            JVNDB: JVNDB-2017-009507 // 
            
            
            
            PACKETSTORM: 144818 // 
            
            
            
            CNNVD: CNNVD-201708-1258 // 
            
            
            
            NVD: CVE-2017-14017

CREDITS
Karn Ganeshen.
Trust: 0.3
sources:
            
            
            BID: 101483

SOURCES
db:IVDid:f722565a-b363-40d4-9b2c-f2853d768656
db:CNVDid:CNVD-2017-30495
db:BIDid:101483
db:JVNDBid:JVNDB-2017-009507
db:PACKETSTORMid:144818
db:CNNVDid:CNNVD-201708-1258
db:NVDid:CVE-2017-14017

LAST UPDATE DATE
2025-04-20T23:24:52.393000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-30495date:2017-10-18T00:00:00
db:BIDid:101483date:2017-10-17T00:00:00
db:JVNDBid:JVNDB-2017-009507date:2017-11-14T00:00:00
db:CNNVDid:CNNVD-201708-1258date:2019-10-17T00:00:00
db:NVDid:CVE-2017-14017date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:f722565a-b363-40d4-9b2c-f2853d768656date:2017-10-18T00:00:00
db:CNVDid:CNVD-2017-30495date:2017-10-18T00:00:00
db:BIDid:101483date:2017-10-17T00:00:00
db:JVNDBid:JVNDB-2017-009507date:2017-11-14T00:00:00
db:PACKETSTORMid:144818date:2017-10-31T13:44:44
db:CNNVDid:CNNVD-201708-1258date:2017-08-31T00:00:00
db:NVDid:CVE-2017-14017date:2017-10-19T23:29:00.280