Sign-up

ID

VAR-201711-0417


CVE

CVE-2017-14031


TITLE

Trihedral Engineering Limited VTScada Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2 // CNVD: CNVD-2017-32169

DESCRIPTION

An Improper Access Control issue was discovered in Trihedral VTScada 11.3.03 and prior. A local, non-administrator user has privileges to read and write to the file system of the target machine. Trihedral VTScada Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Trihedral VTScada (formerly known as VTS) is a SCADA system based on the Windows platform provided by Trihedral Engineering of Canada. There are multiple vulnerabilities in Trihedral Engineering Limited VTScada. An attacker could execute arbitrary script code in an affected application or bypass an security restriction to perform an unauthorized operation

Trust: 3.33

sources: NVD: CVE-2017-14031 // JVNDB: JVNDB-2017-009928 // CNVD: CNVD-2018-16270 // CNVD: CNVD-2017-32169 // BID: 101629 // IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1 // IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.6

sources: IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1 // IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2 // CNVD: CNVD-2018-16270 // CNVD: CNVD-2017-32169

AFFECTED PRODUCTS

vendor:trihedralmodel:engineering limited vtscadascope:eqversion:11.3.2

Trust: 1.1

vendor:trihedralmodel:vtscadascope:lteversion:11.3.03

Trust: 1.0

vendor:trihedralmodel:engineering limited vtscadascope:eqversion:11.3.3

Trust: 0.9

vendor:trihedral engineeringmodel:vtscadascope:lteversion:11.3.03

Trust: 0.8

vendor:trihedralmodel:engineering limited vtscadascope:lteversion:<=11.3.03

Trust: 0.6

vendor:trihedralmodel:vtscadascope:eqversion:11.3.03

Trust: 0.6

vendor:trihedralmodel:engineering limited vtscadascope:neversion:11.3.5

Trust: 0.3

vendor:trihedralmodel:engineering limited vtscadascope:eqversion:11.3.3*

Trust: 0.2

vendor:vtscadamodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1 // IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2 // CNVD: CNVD-2018-16270 // CNVD: CNVD-2017-32169 // BID: 101629 // JVNDB: JVNDB-2017-009928 // CNNVD: CNNVD-201708-1244 // NVD: CVE-2017-14031

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14031
value: HIGH

Trust: 1.0

NVD: CVE-2017-14031
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-16270
value: HIGH

Trust: 0.6

CNVD: CNVD-2017-32169
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201708-1244
value: HIGH

Trust: 0.6

IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1
value: HIGH

Trust: 0.2

IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-14031
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-16270
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2017-32169
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-14031
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1 // IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2 // CNVD: CNVD-2018-16270 // CNVD: CNVD-2017-32169 // JVNDB: JVNDB-2017-009928 // CNNVD: CNNVD-201708-1244 // NVD: CVE-2017-14031

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.8

problemtype:CWE-269

Trust: 1.0

sources: JVNDB: JVNDB-2017-009928 // NVD: CVE-2017-14031

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201708-1244

TYPE

Access control error

Trust: 0.8

sources: IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2 // CNNVD: CNNVD-201708-1244

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009928

PATCH
title:Moving to the Current Versionurl:https://www.trihedral.com/help/Content/Op_Welcome/Wel_UpgradeNotes.htm
Trust: 0.8
title:Trihedral Engineering Limited VTScada ICSA-17-304-0 patch with multiple vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/137735
Trust: 0.6
title:Trihedral Engineering Limited VTScada does not authorize access to the vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/105113
Trust: 0.6
title:Trihedral VTScada Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100007
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-16270 // 
            
            
            
            CNVD: CNVD-2017-32169 // 
            
            
            
            JVNDB: JVNDB-2017-009928 // 
            
            
            
            CNNVD: CNNVD-201708-1244

EXTERNAL IDS
db:ICS CERTid:ICSA-17-304-02
Trust: 3.3
db:NVDid:CVE-2017-14031
Trust: 3.2
db:BIDid:101629
Trust: 0.9
db:CNVDid:CNVD-2018-16270
Trust: 0.8
db:CNVDid:CNVD-2017-32169
Trust: 0.8
db:CNNVDid:CNNVD-201708-1244
Trust: 0.8
db:JVNDBid:JVNDB-2017-009928
Trust: 0.8
db:IVDid:E2F8AE50-39AB-11E9-BD77-000C29342CB1
Trust: 0.2
db:IVDid:66D3EE10-0A24-4CE8-81CF-5E3F113A7CB2
Trust: 0.2
sources:
            
            
            IVD: e2f8ae50-39ab-11e9-bd77-000c29342cb1 // 
            
            
            
            IVD: 66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2 // 
            
            
            
            CNVD: CNVD-2018-16270 // 
            
            
            
            CNVD: CNVD-2017-32169 // 
            
            
            
            BID: 101629 // 
            
            
            
            JVNDB: JVNDB-2017-009928 // 
            
            
            
            CNNVD: CNNVD-201708-1244 // 
            
            
            
            NVD: CVE-2017-14031

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-304-02
Trust: 3.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14031
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14031
Trust: 0.8
url:http://www.securityfocus.com/bid/101629
Trust: 0.6
url:www.trihedral.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-16270 // 
            
            
            
            CNVD: CNVD-2017-32169 // 
            
            
            
            BID: 101629 // 
            
            
            
            JVNDB: JVNDB-2017-009928 // 
            
            
            
            CNNVD: CNNVD-201708-1244 // 
            
            
            
            NVD: CVE-2017-14031

CREDITS
Karn Ganeshen and Mark Cross.
Trust: 0.3
sources:
            
            
            BID: 101629

SOURCES
db:IVDid:e2f8ae50-39ab-11e9-bd77-000c29342cb1
db:IVDid:66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2
db:CNVDid:CNVD-2018-16270
db:CNVDid:CNVD-2017-32169
db:BIDid:101629
db:JVNDBid:JVNDB-2017-009928
db:CNNVDid:CNNVD-201708-1244
db:NVDid:CVE-2017-14031

LAST UPDATE DATE
2025-04-20T23:27:14.752000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-16270date:2018-08-27T00:00:00
db:CNVDid:CNVD-2017-32169date:2017-11-01T00:00:00
db:BIDid:101629date:2017-12-19T22:36:00
db:JVNDBid:JVNDB-2017-009928date:2017-11-29T00:00:00
db:CNNVDid:CNNVD-201708-1244date:2019-10-17T00:00:00
db:NVDid:CVE-2017-14031date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:e2f8ae50-39ab-11e9-bd77-000c29342cb1date:2018-08-27T00:00:00
db:IVDid:66d3ee10-0a24-4ce8-81cf-5e3f113a7cb2date:2017-11-01T00:00:00
db:CNVDid:CNVD-2018-16270date:2018-08-27T00:00:00
db:CNVDid:CNVD-2017-32169date:2017-11-01T00:00:00
db:BIDid:101629date:2017-10-31T00:00:00
db:JVNDBid:JVNDB-2017-009928date:2017-11-29T00:00:00
db:CNNVDid:CNNVD-201708-1244date:2017-08-31T00:00:00
db:NVDid:CVE-2017-14031date:2017-11-06T22:29:00.380