Sign-up

ID

VAR-201808-0381


CVE

CVE-2018-14797


TITLE

Emerson Electric Deltav Uncontrolled Search Path Element Vulnerability

Trust: 0.8

sources: IVD: e2f88740-39ab-11e9-99de-000c29342cb1 // CNVD: CNVD-2018-15735

DESCRIPTION

Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution. Emerson DeltaV DCS Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Emerson Electric DeltaV is a digital automation system from Emerson Electric. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. There is a security hole in Emerson Electric Deltav. An arbitrary-code-execution vulnerability 2. Multiple security-bypass vulnerabilities 3. A stack-based buffer-overflow vulnerability Attackers can exploit these issues to execute arbitrary code and bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions

Trust: 2.61

sources: NVD: CVE-2018-14797 // JVNDB: JVNDB-2018-009508 // CNVD: CNVD-2018-15735 // BID: 105105 // IVD: e2f88740-39ab-11e9-99de-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2f88740-39ab-11e9-99de-000c29342cb1 // CNVD: CNVD-2018-15735

AFFECTED PRODUCTS

vendor:emersonmodel:deltavscope:eqversion:13.3.1

Trust: 2.1

vendor:emersonmodel:deltavscope:eqversion:11.3.1

Trust: 2.1

vendor:emersonmodel:deltavscope:eqversion:12.3.1

Trust: 2.1

vendor:emersonmodel:deltavscope:eqversion:13.3.0

Trust: 1.8

vendor:emersonmodel:deltavscope:eqversion:r5

Trust: 1.8

vendor:emersonmodel:electric deltavscope:eqversion:v11.3.1

Trust: 0.6

vendor:emersonmodel:electric deltavscope:eqversion:v12.3.1

Trust: 0.6

vendor:emersonmodel:electric deltavscope:eqversion:v13.3.0

Trust: 0.6

vendor:emersonmodel:electric deltavscope:eqversion:v13.3.1

Trust: 0.6

vendor:emersonmodel:electric deltav r5scope: - version: -

Trust: 0.6

vendor:emersonmodel:deltav distributed control systemscope:eqversion:13.3.1

Trust: 0.6

vendor:emersonmodel:deltav distributed control systemscope:eqversion:13.3.0

Trust: 0.6

vendor:emersonmodel:deltav distributed control systemscope:eqversion:11.3.1

Trust: 0.6

vendor:emersonmodel:deltav distributed control systemscope:eqversion:r5

Trust: 0.6

vendor:emersonmodel:deltav distributed control systemscope:eqversion:12.3.1

Trust: 0.6

vendor:emersonmodel:deltavscope:eqversion:13.3

Trust: 0.3

vendor:deltav distributed control systemmodel: - scope:eqversion:11.3.1

Trust: 0.2

vendor:deltav distributed control systemmodel: - scope:eqversion:12.3.1

Trust: 0.2

vendor:deltav distributed control systemmodel: - scope:eqversion:13.3.0

Trust: 0.2

vendor:deltav distributed control systemmodel: - scope:eqversion:13.3.1

Trust: 0.2

vendor:deltav distributed control systemmodel:r5scope: - version: -

Trust: 0.2

sources: IVD: e2f88740-39ab-11e9-99de-000c29342cb1 // CNVD: CNVD-2018-15735 // BID: 105105 // JVNDB: JVNDB-2018-009508 // CNNVD: CNNVD-201808-562 // NVD: CVE-2018-14797

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14797
value: HIGH

Trust: 1.0

NVD: CVE-2018-14797
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-15735
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201808-562
value: HIGH

Trust: 0.6

IVD: e2f88740-39ab-11e9-99de-000c29342cb1
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2018-14797
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-15735
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2f88740-39ab-11e9-99de-000c29342cb1
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-14797
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2018-14797
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: e2f88740-39ab-11e9-99de-000c29342cb1 // CNVD: CNVD-2018-15735 // JVNDB: JVNDB-2018-009508 // CNNVD: CNNVD-201808-562 // NVD: CVE-2018-14797

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.8

sources: JVNDB: JVNDB-2018-009508 // NVD: CVE-2018-14797

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201808-562

TYPE

Code problem

Trust: 0.8

sources: IVD: e2f88740-39ab-11e9-99de-000c29342cb1 // CNNVD: CNNVD-201808-562

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-009508

PATCH
title:DeltaVurl:https://www.emerson.com/en-us/automation/deltav
Trust: 0.8
title:Emerson Electric Deltav Uncontrolled Search Path Element Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/138019
Trust: 0.6
title:Emerson Electric Deltav Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84150
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-15735 // 
            
            
            
            JVNDB: JVNDB-2018-009508 // 
            
            
            
            CNNVD: CNNVD-201808-562

EXTERNAL IDS
db:NVDid:CVE-2018-14797
Trust: 3.5
db:ICS CERTid:ICSA-18-228-01
Trust: 3.3
db:BIDid:105105
Trust: 2.5
db:CNVDid:CNVD-2018-15735
Trust: 0.8
db:CNNVDid:CNNVD-201808-562
Trust: 0.8
db:JVNDBid:JVNDB-2018-009508
Trust: 0.8
db:IVDid:E2F88740-39AB-11E9-99DE-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2f88740-39ab-11e9-99de-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-15735 // 
            
            
            
            BID: 105105 // 
            
            
            
            JVNDB: JVNDB-2018-009508 // 
            
            
            
            CNNVD: CNNVD-201808-562 // 
            
            
            
            NVD: CVE-2018-14797

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-228-01
Trust: 3.3
url:http://www.securityfocus.com/bid/105105
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14797
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-14797
Trust: 0.8
url:http://emerson.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-15735 // 
            
            
            
            BID: 105105 // 
            
            
            
            JVNDB: JVNDB-2018-009508 // 
            
            
            
            CNNVD: CNNVD-201808-562 // 
            
            
            
            NVD: CVE-2018-14797

CREDITS
Ori Perez of CyberX,Younes Dragoni of Nozomi Networks, and Emerson.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201808-562

SOURCES
db:IVDid:e2f88740-39ab-11e9-99de-000c29342cb1
db:CNVDid:CNVD-2018-15735
db:BIDid:105105
db:JVNDBid:JVNDB-2018-009508
db:CNNVDid:CNNVD-201808-562
db:NVDid:CVE-2018-14797

LAST UPDATE DATE
2024-11-23T21:52:56.244000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-15735date:2018-08-21T00:00:00
db:BIDid:105105date:2018-08-16T00:00:00
db:JVNDBid:JVNDB-2018-009508date:2018-11-20T00:00:00
db:CNNVDid:CNNVD-201808-562date:2022-07-13T00:00:00
db:NVDid:CVE-2018-14797date:2024-11-21T03:49:48.897

SOURCES RELEASE DATE
db:IVDid:e2f88740-39ab-11e9-99de-000c29342cb1date:2018-08-21T00:00:00
db:CNVDid:CNVD-2018-15735date:2018-08-21T00:00:00
db:BIDid:105105date:2018-08-16T00:00:00
db:JVNDBid:JVNDB-2018-009508date:2018-11-20T00:00:00
db:CNNVDid:CNNVD-201808-562date:2018-08-20T00:00:00
db:NVDid:CVE-2018-14797date:2018-08-23T19:29:01.017