Details of VAR-201807-2221

ID

VAR-201807-2221

TITLE

NAPro has a memory corruption vulnerability

Trust: 0.6

sources: CNVD: CNVD-2018-13548

DESCRIPTION

Nanda Aotuo Technology Jiangsu Co., Ltd. focuses on the research and development, production and sales of programmable logic controller PLC. At present, it has formed large and medium-sized PLC products, supplemented by small PLC products, remote measurement and control unit (RTU), touch screen, etc Product structure. NAPro has a memory corruption vulnerability. The vulnerability is due to NAPro's failure to determine whether the return value of the strlen function is legal when parsing the project. Attackers can use vulnerabilities to construct illegal data entry functions, causing software to crash

Trust: 0.72

sources: CNVD: CNVD-2018-13548 // IVD: e2f74ec2-39ab-11e9-a86c-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2f74ec2-39ab-11e9-a86c-000c29342cb1 // CNVD: CNVD-2018-13548

AFFECTED PRODUCTS

vendor:	nandao jiangsu	model:	napro--na 200h plc programming software	scope:	eq	version:	v5.7.0	Trust: 0.6
vendor:	nandao jiangsu	model:	napro--na plc programming software	scope:	eq	version:	300v5.7.0	Trust: 0.6
vendor:	nandao jiangsu	model:	napro--na400 na300 na200h plc programming software	scope:	eq	version:	//v5.7.0	Trust: 0.6
vendor:	nanda auto jiangsu	model:	napro--na400/na300/na200h plc programming software	scope:	eq	version:	v5.7.0	Trust: 0.2
vendor:	nanda auto jiangsu	model:	napro--na 200h plc programming software	scope:	eq	version:	v5.7.0	Trust: 0.2
vendor:	nanda auto jiangsu	model:	napro--na plc programming software	scope:	eq	version:	300v5.7.0	Trust: 0.2

sources: IVD: e2f74ec2-39ab-11e9-a86c-000c29342cb1 // CNVD: CNVD-2018-13548

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2018-13548
value:	MEDIUM
Trust: 0.6
IVD:	e2f74ec2-39ab-11e9-a86c-000c29342cb1
value:	MEDIUM
Trust: 0.2

CNVD:	CNVD-2018-13548
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f74ec2-39ab-11e9-a86c-000c29342cb1
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: e2f74ec2-39ab-11e9-a86c-000c29342cb1 // CNVD: CNVD-2018-13548

TYPE

Resource management error

Trust: 0.2

sources: IVD: e2f74ec2-39ab-11e9-a86c-000c29342cb1

PATCH

title:

NAPro--PLC programming software V5.7.0 has a memory corruption vulnerability

url:

https://www.cnvd.org.cn/patchinfo/show/133681

Trust: 0.6

sources: CNVD: CNVD-2018-13548

EXTERNAL IDS

db:	CNVD	id:	CNVD-2018-13548	Trust: 0.8
db:	IVD	id:	E2F74EC2-39AB-11E9-A86C-000C29342CB1	Trust: 0.2

sources: IVD: e2f74ec2-39ab-11e9-a86c-000c29342cb1 // CNVD: CNVD-2018-13548

SOURCES

db:	IVD	id:	e2f74ec2-39ab-11e9-a86c-000c29342cb1
db:	CNVD	id:	CNVD-2018-13548

LAST UPDATE DATE

2022-05-17T02:09:44.445000+00:00

SOURCES UPDATE DATE

db:

CNVD

id:

CNVD-2018-13548

date:

2018-08-03T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	e2f74ec2-39ab-11e9-a86c-000c29342cb1	date:	2018-07-20T00:00:00
db:	CNVD	id:	CNVD-2018-13548	date:	2018-08-19T00:00:00