Sign-up

ID

VAR-201907-1460


CVE

CVE-2019-10992


TITLE

Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Trust: 1.4

sources: ZDI: ZDI-19-674 // ZDI: ZDI-19-675

DESCRIPTION

Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Multiple out-of-bounds read vulnerabilities may cause information disclosure due to lacking user input validation for processing project files. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPB files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of an administrator. Multiple heap-based buffer-overflow vulnerabilities 2. Multiple information disclosure vulnerabilities. Failed exploit attempts will likely cause a denial-of-service condition

Trust: 3.15

sources: NVD: CVE-2019-10992 // JVNDB: JVNDB-2019-006979 // ZDI: ZDI-19-674 // ZDI: ZDI-19-675 // BID: 109154

AFFECTED PRODUCTS

vendor:delta industrial automationmodel:cncsoft screeneditorscope: - version: -

Trust: 1.4

vendor:deltawwmodel:cnssoft screeneditorscope:lteversion:1.00.89

Trust: 1.0

vendor:deltamodel:screeneditorscope:lteversion:1.00.89

Trust: 0.8

vendor:deltamodel:electronics inc cncsoft screeneditorscope:eqversion:1.0.89

Trust: 0.3

vendor:deltamodel:electronics inc cncsoft screeneditorscope:eqversion:1.0.88

Trust: 0.3

vendor:deltamodel:electronics inc cncsoft screeneditorscope:eqversion:1.0.84

Trust: 0.3

vendor:deltamodel:electronics inc cncsoft screeneditorscope:neversion:1.0.94

Trust: 0.3

sources: ZDI: ZDI-19-674 // ZDI: ZDI-19-675 // BID: 109154 // JVNDB: JVNDB-2019-006979 // NVD: CVE-2019-10992

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2019-10992
value: LOW

Trust: 1.4

nvd@nist.gov: CVE-2019-10992
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-10992
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-711
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-10992
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-10992
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

ZDI: CVE-2019-10992
baseSeverity: LOW
baseScore: 3.3
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.0

Trust: 1.4

sources: ZDI: ZDI-19-674 // ZDI: ZDI-19-675 // JVNDB: JVNDB-2019-006979 // CNNVD: CNNVD-201907-711 // NVD: CVE-2019-10992

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.8

sources: JVNDB: JVNDB-2019-006979 // NVD: CVE-2019-10992

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201907-711

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201907-711

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006979

PATCH
title:Delta Industrial Automation has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-19-192-01
Trust: 1.4
title:Top Pageurl:https://www.deltaww.com/
Trust: 0.8
title:Delta Electronics CNCSoft ScreenEditor Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94737
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-674 // 
            
            
            
            ZDI: ZDI-19-675 // 
            
            
            
            JVNDB: JVNDB-2019-006979 // 
            
            
            
            CNNVD: CNNVD-201907-711

EXTERNAL IDS
db:NVDid:CVE-2019-10992
Trust: 4.1
db:ICS CERTid:ICSA-19-192-01
Trust: 2.7
db:ZDIid:ZDI-19-675
Trust: 1.3
db:BIDid:109154
Trust: 0.9
db:JVNDBid:JVNDB-2019-006979
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-8634
Trust: 0.7
db:ZDIid:ZDI-19-674
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-8648
Trust: 0.7
db:AUSCERTid:ESB-2019.2578
Trust: 0.6
db:CNNVDid:CNNVD-201907-711
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-674 // 
            
            
            
            ZDI: ZDI-19-675 // 
            
            
            
            BID: 109154 // 
            
            
            
            JVNDB: JVNDB-2019-006979 // 
            
            
            
            CNNVD: CNNVD-201907-711 // 
            
            
            
            NVD: CVE-2019-10992

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-19-192-01
Trust: 4.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-10992
Trust: 1.4
url:http://www.deltaww.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10992
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2019.2578/
Trust: 0.6
url:https://www.securityfocus.com/bid/109154
Trust: 0.6
url:https://www.zerodayinitiative.com/advisories/zdi-19-675/
Trust: 0.6
sources:
            
            
            ZDI: ZDI-19-674 // 
            
            
            
            ZDI: ZDI-19-675 // 
            
            
            
            BID: 109154 // 
            
            
            
            JVNDB: JVNDB-2019-006979 // 
            
            
            
            CNNVD: CNNVD-201907-711 // 
            
            
            
            NVD: CVE-2019-10992

CREDITS
Natnael Samson (@NattiSamson)
Trust: 1.4
sources:
            
            
            ZDI: ZDI-19-674 // 
            
            
            
            ZDI: ZDI-19-675

SOURCES
db:ZDIid:ZDI-19-674
db:ZDIid:ZDI-19-675
db:BIDid:109154
db:JVNDBid:JVNDB-2019-006979
db:CNNVDid:CNNVD-201907-711
db:NVDid:CVE-2019-10992

LAST UPDATE DATE
2024-11-23T22:55:30.352000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-19-674date:2019-07-22T00:00:00
db:ZDIid:ZDI-19-675date:2019-07-22T00:00:00
db:BIDid:109154date:2019-07-11T00:00:00
db:JVNDBid:JVNDB-2019-006979date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-711date:2019-07-30T00:00:00
db:NVDid:CVE-2019-10992date:2024-11-21T04:20:18.627

SOURCES RELEASE DATE
db:ZDIid:ZDI-19-674date:2019-07-22T00:00:00
db:ZDIid:ZDI-19-675date:2019-07-22T00:00:00
db:BIDid:109154date:2019-07-11T00:00:00
db:JVNDBid:JVNDB-2019-006979date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-711date:2019-07-12T00:00:00
db:NVDid:CVE-2019-10992date:2019-07-24T15:15:12.057