Details of VAR-201809-0158

ID

VAR-201809-0158

CVE

CVE-2018-14824

TITLE

Delta Electronics Delta Industrial Automation PMSoft Vulnerable to out-of-bounds reading

Trust: 0.8

sources: JVNDB: JVNDB-2018-012400

DESCRIPTION

Delta Electronics Delta Industrial Automation PMSoft v2.11 or prior has an out-of-bounds read vulnerability that can be executed when processing project files, which may allow an attacker to read confidential information. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of PPM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. An attacker can exploit this issue to obtain sensitive information that may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2018-14824 // JVNDB: JVNDB-2018-012400 // ZDI: ZDI-18-1093 // BID: 105409

AFFECTED PRODUCTS

vendor:	deltaww	model:	delta industrial automation pmsoft	scope:	lte	version:	2.11	Trust: 1.0
vendor:	delta	model:	industrial automation pmsoft	scope:	lte	version:	2.11	Trust: 0.8
vendor:	delta industrial automation	model:	pmsoft	scope:	-	version:	-	Trust: 0.7
vendor:	deltaww	model:	delta industrial automation pmsoft	scope:	eq	version:	2.11	Trust: 0.6
vendor:	delta	model:	electronics inc pmsoft	scope:	eq	version:	2.11	Trust: 0.3
vendor:	delta	model:	electronics inc pmsoft	scope:	eq	version:	2.10.10	Trust: 0.3
vendor:	delta	model:	electronics inc pmsoft	scope:	eq	version:	2.10	Trust: 0.3
vendor:	delta	model:	electronics inc pmsoft	scope:	eq	version:	2.0	Trust: 0.3
vendor:	delta	model:	electronics inc pmsoft	scope:	ne	version:	2.12	Trust: 0.3

sources: ZDI: ZDI-18-1093 // BID: 105409 // JVNDB: JVNDB-2018-012400 // CNNVD: CNNVD-201809-1220 // NVD: CVE-2018-14824

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-14824
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-14824
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2018-14824
value:	MEDIUM
Trust: 0.7
CNNVD:	CNNVD-201809-1220
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-14824
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5

nvd@nist.gov:	CVE-2018-14824
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: ZDI: ZDI-18-1093 // JVNDB: JVNDB-2018-012400 // CNNVD: CNNVD-201809-1220 // NVD: CVE-2018-14824

PROBLEMTYPE DATA

problemtype:

CWE-125

Trust: 1.8

sources: JVNDB: JVNDB-2018-012400 // NVD: CVE-2018-14824

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-1220

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201809-1220

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012400

PATCH

title:	Customer Service	url:	http://www.deltaww.com/services/DownloadCenter2.aspx?secID=8&pid=2&tid=0&CID=06&itemID=060301&typeID=1&downloadID=,&title=--%20Select%20Product%20Series%20--&dataType=8;&check=1&hl=en-US	Trust: 0.8
title:	Delta Industrial Automation has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-18-270-04	Trust: 0.7
title:	Delta Electronics Delta Industrial Automation PMSoft Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85236	Trust: 0.6

sources: ZDI: ZDI-18-1093 // JVNDB: JVNDB-2018-012400 // CNNVD: CNNVD-201809-1220

EXTERNAL IDS

db:	NVD	id:	CVE-2018-14824	Trust: 3.4
db:	ICS CERT	id:	ICSA-18-270-04	Trust: 2.7
db:	BID	id:	105409	Trust: 1.9
db:	JVNDB	id:	JVNDB-2018-012400	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-6322	Trust: 0.7
db:	ZDI	id:	ZDI-18-1093	Trust: 0.7
db:	CNNVD	id:	CNNVD-201809-1220	Trust: 0.6

sources: ZDI: ZDI-18-1093 // BID: 105409 // JVNDB: JVNDB-2018-012400 // CNNVD: CNNVD-201809-1220 // NVD: CVE-2018-14824

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-270-04	Trust: 3.4
url:	http://www.securityfocus.com/bid/105409	Trust: 1.6
url:	http://www.deltaww.com/services/downloadcenter2.aspx?secid=8&pid=2&tid=0&cid=06&itemid=060301&typeid=1&downloadid=%2c&title=--%20select%20product%20series%20--&datatype=8%3b&check=1&hl=en-us	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14824	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14824	Trust: 0.8
url:	http://www.deltaww.com/services/downloadcenter2.aspx?secid=8&pid=2&tid=0&cid=06&itemid=060301&typeid=1&downloadid=	Trust: 0.6
url:	http://www.deltaww.com/	Trust: 0.3

sources: ZDI: ZDI-18-1093 // BID: 105409 // JVNDB: JVNDB-2018-012400 // CNNVD: CNNVD-201809-1220 // NVD: CVE-2018-14824

CREDITS

Mat Powell of Trend Micro Zero Day Initiative

Trust: 0.7

sources: ZDI: ZDI-18-1093

SOURCES

db:	ZDI	id:	ZDI-18-1093
db:	BID	id:	105409
db:	JVNDB	id:	JVNDB-2018-012400
db:	CNNVD	id:	CNNVD-201809-1220
db:	NVD	id:	CVE-2018-14824

LAST UPDATE DATE

2024-11-23T21:52:37.109000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-18-1093	date:	2018-09-28T00:00:00
db:	BID	id:	105409	date:	2018-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-012400	date:	2019-02-01T00:00:00
db:	CNNVD	id:	CNNVD-201809-1220	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-14824	date:	2024-11-21T03:49:52.457

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-18-1093	date:	2018-09-28T00:00:00
db:	BID	id:	105409	date:	2018-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-012400	date:	2019-02-01T00:00:00
db:	CNNVD	id:	CNNVD-201809-1220	date:	2018-09-28T00:00:00
db:	NVD	id:	CVE-2018-14824	date:	2018-09-27T20:29:00.430