Details of VAR-201710-0805

ID

VAR-201710-0805

CVE

CVE-2017-14019

TITLE

Progea Movicon Vulnerabilities related to unquoted search paths or elements

Trust: 0.8

sources: JVNDB: JVNDB-2017-009503

DESCRIPTION

An Unquoted Search Path or Element issue was discovered in Progea Movicon Version 11.5.1181 and prior. An unquoted search path or element vulnerability has been identified, which may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate his or her privileges. Progea Movicon Contains vulnerabilities related to unquoted search paths or elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Movicon is an industrial monitoring software developed by the Italian automation software provider PROGEA (Scada/HMI). Progea Movicon is prone to a multiple privilege-escalation vulnerabilities. An attacker can exploit these issues to execute arbitrary code to gain elevated privileges. Movicon versions 11.5.1181 and prior are affected. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems Countries/Areas Deployed: Europe, India, and United States Company Headquarters Location: Italy ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities could allow privilege escalation or arbitrary code execution. User interaction is required to exploit this vulnerability in that the malicious dll file should be saved in any of the DLL search paths. The specific flaw exists within the handling of a specific named DLL file used by Movicon SCADA/HMI. By placing specific DLL file (listed below), an attacker is able to force the process to load an arbitrary DLL. ------------------------ DLL File Name (1) ------------------------ api-ms-win-appmodel-runtime-l1-1-0.dll ------------------------ Application Executables (that look for missing DLL) ------------------------ Movicon.exe MoviconRunTime.exe MoviconService.exe AlarmsImpExp.exe ReportViewerNET.exe ------------------------ Steps to reproduce ------------------------ 1. Generate a dll payload msfvenom ap windows/exec cmd=calc.exe af dll ao api-ms-win-appmodel-runtime-l1-1-0.dll 2. Place this dll in install directory (or C:\Windows, or any directory defined in the PATH environment variable) C:\Program Files\Progea\Movicon11.5\ 3. Run MoviconService.exe (or any of the above listed executables), and Exit ------------------------ CVE-2017-14017 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. aC/ MOVICON (MOVICON) runs as LocalSystem and has path: C:\Program Files\Progea\Movicon11.5\MoviconService.exe: CVE-2017-14019 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). +++++ Best Regards, Karn Ganeshen

Trust: 2.7

sources: NVD: CVE-2017-14019 // JVNDB: JVNDB-2017-009503 // CNVD: CNVD-2017-30496 // BID: 101483 // IVD: e538bc3b-a533-48aa-a303-eeaf311c363b // PACKETSTORM: 144818

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e538bc3b-a533-48aa-a303-eeaf311c363b // CNVD: CNVD-2017-30496

AFFECTED PRODUCTS

vendor:	progea	model:	movicon	scope:	eq	version:	11.5.1181	Trust: 1.9
vendor:	progea srl	model:	movicon	scope:	lte	version:	11.5.1181	Trust: 0.8
vendor:	progea	model:	movicon	scope:	lte	version:	<=11.5.1181	Trust: 0.6
vendor:	progea	model:	movicon	scope:	eq	version:	11.4.1150	Trust: 0.3
vendor:	progea	model:	movicon build	scope:	eq	version:	11.41150	Trust: 0.3
vendor:	progea	model:	movicon	scope:	eq	version:	11.4	Trust: 0.3
vendor:	progea	model:	movicon	scope:	eq	version:	11.3	Trust: 0.3
vendor:	progea	model:	movicon	scope:	eq	version:	11.2.1085.4	Trust: 0.3
vendor:	progea	model:	movicon	scope:	eq	version:	11.2.1085.3	Trust: 0.3
vendor:	progea	model:	movicon build	scope:	eq	version:	11.21085	Trust: 0.3
vendor:	progea	model:	movicon build	scope:	eq	version:	11.21084	Trust: 0.3
vendor:	progea	model:	movicon	scope:	eq	version:	11.2	Trust: 0.3
vendor:	movicon	model:	-	scope:	eq	version:	11.5.1181	Trust: 0.2

sources: IVD: e538bc3b-a533-48aa-a303-eeaf311c363b // CNVD: CNVD-2017-30496 // BID: 101483 // JVNDB: JVNDB-2017-009503 // CNNVD: CNNVD-201708-1256 // NVD: CVE-2017-14019

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-14019
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-14019
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-30496
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201708-1256
value:	MEDIUM
Trust: 0.6
IVD:	e538bc3b-a533-48aa-a303-eeaf311c363b
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-14019
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-30496
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e538bc3b-a533-48aa-a303-eeaf311c363b
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-14019
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: e538bc3b-a533-48aa-a303-eeaf311c363b // CNVD: CNVD-2017-30496 // JVNDB: JVNDB-2017-009503 // CNNVD: CNNVD-201708-1256 // NVD: CVE-2017-14019

PROBLEMTYPE DATA

problemtype:

CWE-428

Trust: 1.8

sources: JVNDB: JVNDB-2017-009503 // NVD: CVE-2017-14019

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201708-1256

TYPE

Code problem

Trust: 0.8

sources: IVD: e538bc3b-a533-48aa-a303-eeaf311c363b // CNNVD: CNNVD-201708-1256

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009503

PATCH

title:

Top Page

url:

https://www.progea.com/

Trust: 0.8

sources: JVNDB: JVNDB-2017-009503

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14019	Trust: 3.6
db:	ICS CERT	id:	ICSA-17-290-01	Trust: 3.4
db:	BID	id:	101483	Trust: 1.9
db:	CNVD	id:	CNVD-2017-30496	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-1256	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-009503	Trust: 0.8
db:	IVD	id:	E538BC3B-A533-48AA-A303-EEAF311C363B	Trust: 0.2
db:	PACKETSTORM	id:	144818	Trust: 0.1

sources: IVD: e538bc3b-a533-48aa-a303-eeaf311c363b // CNVD: CNVD-2017-30496 // BID: 101483 // JVNDB: JVNDB-2017-009503 // PACKETSTORM: 144818 // CNNVD: CNNVD-201708-1256 // NVD: CVE-2017-14019

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-290-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/101483	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14019	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14019	Trust: 0.8
url:	http://www.progea.com/it-it/downloads/software.aspx	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14017	Trust: 0.1
url:	https://ipositivesecurity.com/2017/10/28/ics-progea-movicon-scadahmi-vulnerabilities/	Trust: 0.1

sources: CNVD: CNVD-2017-30496 // BID: 101483 // JVNDB: JVNDB-2017-009503 // PACKETSTORM: 144818 // CNNVD: CNNVD-201708-1256 // NVD: CVE-2017-14019

CREDITS

Karn Ganeshen.

Trust: 0.3

sources: BID: 101483

SOURCES

db:	IVD	id:	e538bc3b-a533-48aa-a303-eeaf311c363b
db:	CNVD	id:	CNVD-2017-30496
db:	BID	id:	101483
db:	JVNDB	id:	JVNDB-2017-009503
db:	PACKETSTORM	id:	144818
db:	CNNVD	id:	CNNVD-201708-1256
db:	NVD	id:	CVE-2017-14019

LAST UPDATE DATE

2025-04-20T23:24:52.352000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-30496	date:	2017-10-18T00:00:00
db:	BID	id:	101483	date:	2017-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-009503	date:	2017-11-14T00:00:00
db:	CNNVD	id:	CNNVD-201708-1256	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-14019	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	e538bc3b-a533-48aa-a303-eeaf311c363b	date:	2017-10-18T00:00:00
db:	CNVD	id:	CNVD-2017-30496	date:	2017-10-18T00:00:00
db:	BID	id:	101483	date:	2017-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-009503	date:	2017-11-14T00:00:00
db:	PACKETSTORM	id:	144818	date:	2017-10-31T13:44:44
db:	CNNVD	id:	CNNVD-201708-1256	date:	2017-08-31T00:00:00
db:	NVD	id:	CVE-2017-14019	date:	2017-10-19T23:29:00.327