Sign-up

ID

VAR-201907-1458


CVE

CVE-2019-10982


TITLE

Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

Trust: 1.4

sources: ZDI: ZDI-19-673 // ZDI: ZDI-19-672

DESCRIPTION

Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap. Delta Electronics CNCSoft ScreenEditor Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPB files. An attacker can leverage this vulnerability to execute code in the context of an administrator. Multiple heap-based buffer-overflow vulnerabilities 2. Multiple information disclosure vulnerabilities. Failed exploit attempts will likely cause a denial-of-service condition

Trust: 3.15

sources: NVD: CVE-2019-10982 // JVNDB: JVNDB-2019-006980 // ZDI: ZDI-19-673 // ZDI: ZDI-19-672 // BID: 109154

AFFECTED PRODUCTS

vendor:delta industrial automationmodel:cncsoft screeneditorscope: - version: -

Trust: 1.4

vendor:deltawwmodel:cnssoft screeneditorscope:lteversion:1.00.89

Trust: 1.0

vendor:deltamodel:screeneditorscope:lteversion:1.00.89

Trust: 0.8

vendor:deltamodel:electronics inc cncsoft screeneditorscope:eqversion:1.0.89

Trust: 0.3

vendor:deltamodel:electronics inc cncsoft screeneditorscope:eqversion:1.0.88

Trust: 0.3

vendor:deltamodel:electronics inc cncsoft screeneditorscope:eqversion:1.0.84

Trust: 0.3

vendor:deltamodel:electronics inc cncsoft screeneditorscope:neversion:1.0.94

Trust: 0.3

sources: ZDI: ZDI-19-673 // ZDI: ZDI-19-672 // BID: 109154 // JVNDB: JVNDB-2019-006980 // NVD: CVE-2019-10982

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2019-10982
value: HIGH

Trust: 1.4

nvd@nist.gov: CVE-2019-10982
value: HIGH

Trust: 1.0

NVD: CVE-2019-10982
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201907-693
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-10982
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2019-10982
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2019-10982
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-10982
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-19-673 // ZDI: ZDI-19-672 // JVNDB: JVNDB-2019-006980 // CNNVD: CNNVD-201907-693 // NVD: CVE-2019-10982

PROBLEMTYPE DATA

problemtype:CWE-122

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-119

Trust: 0.8

sources: JVNDB: JVNDB-2019-006980 // NVD: CVE-2019-10982

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201907-693

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201907-693

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006980

PATCH
title:Delta Industrial Automation has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-19-192-01
Trust: 1.4
title:Top Pageurl:https://www.deltaww.com/
Trust: 0.8
title:Delta Electronics CNCSoft ScreenEditor Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95227
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-673 // 
            
            
            
            ZDI: ZDI-19-672 // 
            
            
            
            JVNDB: JVNDB-2019-006980 // 
            
            
            
            CNNVD: CNNVD-201907-693

EXTERNAL IDS
db:NVDid:CVE-2019-10982
Trust: 4.1
db:ICS CERTid:ICSA-19-192-01
Trust: 2.7
db:ZDIid:ZDI-19-673
Trust: 1.3
db:BIDid:109154
Trust: 0.9
db:JVNDBid:JVNDB-2019-006980
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-8633
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-8629
Trust: 0.7
db:ZDIid:ZDI-19-672
Trust: 0.7
db:AUSCERTid:ESB-2019.2578
Trust: 0.6
db:CNNVDid:CNNVD-201907-693
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-673 // 
            
            
            
            ZDI: ZDI-19-672 // 
            
            
            
            BID: 109154 // 
            
            
            
            JVNDB: JVNDB-2019-006980 // 
            
            
            
            CNNVD: CNNVD-201907-693 // 
            
            
            
            NVD: CVE-2019-10982

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-19-192-01
Trust: 4.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-10982
Trust: 1.4
url:http://www.deltaww.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10982
Trust: 0.8
url:https://www.zerodayinitiative.com/advisories/zdi-19-673/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2578/
Trust: 0.6
url:https://www.securityfocus.com/bid/109154
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-673 // 
            
            
            
            ZDI: ZDI-19-672 // 
            
            
            
            BID: 109154 // 
            
            
            
            JVNDB: JVNDB-2019-006980 // 
            
            
            
            CNNVD: CNNVD-201907-693 // 
            
            
            
            NVD: CVE-2019-10982

CREDITS
Natnael Samson (@NattiSamson)
Trust: 1.4
sources:
            
            
            ZDI: ZDI-19-673 // 
            
            
            
            ZDI: ZDI-19-672

SOURCES
db:ZDIid:ZDI-19-673
db:ZDIid:ZDI-19-672
db:BIDid:109154
db:JVNDBid:JVNDB-2019-006980
db:CNNVDid:CNNVD-201907-693
db:NVDid:CVE-2019-10982

LAST UPDATE DATE
2024-11-23T22:55:30.315000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-19-673date:2019-07-22T00:00:00
db:ZDIid:ZDI-19-672date:2019-07-22T00:00:00
db:BIDid:109154date:2019-07-11T00:00:00
db:JVNDBid:JVNDB-2019-006980date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-693date:2020-10-09T00:00:00
db:NVDid:CVE-2019-10982date:2024-11-21T04:20:17.570

SOURCES RELEASE DATE
db:ZDIid:ZDI-19-673date:2019-07-22T00:00:00
db:ZDIid:ZDI-19-672date:2019-07-22T00:00:00
db:BIDid:109154date:2019-07-11T00:00:00
db:JVNDBid:JVNDB-2019-006980date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-693date:2019-07-11T00:00:00
db:NVDid:CVE-2019-10982date:2019-07-24T15:15:11.993