Sign-up

ID

VAR-202003-1670


CVE

CVE-2020-7002


TITLE

Delta Industrial Automation CNCSoft ScreenEditor Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003024

DESCRIPTION

Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. Multiple stack-based buffer overflows can be exploited when a valid user opens a specially crafted, malicious input file. Delta Industrial Automation CNCSoft ScreenEditor Is vulnerable to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of GifName information in DPB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. Delta Electronics CNCSoft ScreenEditor is a set of CNC machine tool simulation system software of Taiwan Delta Electronics (Delta Electronics) company. There is a buffer overflow vulnerability in Delta Electronics CNCSoft ScreenEditor 1.00.96 and previous versions, which can be exploited by an attacker to cause a stack buffer overflow

Trust: 3.96

sources: NVD: CVE-2020-7002 // JVNDB: JVNDB-2020-003024 // ZDI: ZDI-20-309 // ZDI: ZDI-20-308 // CNVD: CNVD-2020-17485 // IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5 // IVD: 4d70e356-98dd-43f5-983c-c347917a0373 // IVD: 15506b49-3668-4c35-8a59-f69b72198906

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.2

sources: IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5 // IVD: 4d70e356-98dd-43f5-983c-c347917a0373 // IVD: 15506b49-3668-4c35-8a59-f69b72198906 // CNVD: CNVD-2020-17485

AFFECTED PRODUCTS

vendor:delta industrial automationmodel:cncsoft screeneditorscope: - version: -

Trust: 1.4

vendor:deltawwmodel:cncsoft screeneditorscope:lteversion:1.00.96

Trust: 1.0

vendor:deltamodel:cncsoft screeneditorscope:eqversion:1.00.96

Trust: 0.8

vendor:cncsoft screeneditormodel: - scope:eqversion:*

Trust: 0.6

vendor:deltamodel:electronics delta electronics cncsoft screeneditorscope:lteversion:<=1.00.96

Trust: 0.6

sources: IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5 // IVD: 4d70e356-98dd-43f5-983c-c347917a0373 // IVD: 15506b49-3668-4c35-8a59-f69b72198906 // ZDI: ZDI-20-309 // ZDI: ZDI-20-308 // CNVD: CNVD-2020-17485 // JVNDB: JVNDB-2020-003024 // NVD: CVE-2020-7002

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2020-7002
value: HIGH

Trust: 1.4

nvd@nist.gov: CVE-2020-7002
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-003024
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-17485
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202003-1033
value: HIGH

Trust: 0.6

IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5
value: HIGH

Trust: 0.2

IVD: 4d70e356-98dd-43f5-983c-c347917a0373
value: HIGH

Trust: 0.2

IVD: 15506b49-3668-4c35-8a59-f69b72198906
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2020-7002
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003024
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-17485
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 4d70e356-98dd-43f5-983c-c347917a0373
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 15506b49-3668-4c35-8a59-f69b72198906
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

ZDI: CVE-2020-7002
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2020-7002
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003024
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5 // IVD: 4d70e356-98dd-43f5-983c-c347917a0373 // IVD: 15506b49-3668-4c35-8a59-f69b72198906 // ZDI: ZDI-20-309 // ZDI: ZDI-20-308 // CNVD: CNVD-2020-17485 // JVNDB: JVNDB-2020-003024 // CNNVD: CNNVD-202003-1033 // NVD: CVE-2020-7002

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.8

problemtype:CWE-121

Trust: 1.0

sources: JVNDB: JVNDB-2020-003024 // NVD: CVE-2020-7002

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202003-1033

TYPE

Buffer error

Trust: 1.2

sources: IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5 // IVD: 4d70e356-98dd-43f5-983c-c347917a0373 // IVD: 15506b49-3668-4c35-8a59-f69b72198906 // CNNVD: CNNVD-202003-1033

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003024

PATCH
title:Delta Industrial Automation has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-20-077-01
Trust: 1.4
title:Top Pageurl:http://www.deltaww.com/
Trust: 0.8
title:Patch for Delta Electronics CNCSoft ScreenEditor buffer overflow vulnerability (CNVD-2020-17485)url:https://www.cnvd.org.cn/patchInfo/show/209165
Trust: 0.6
title:Delta Electronics Delta Industrial Automation CNCSoft Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112453
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-309 // 
            
            
            
            ZDI: ZDI-20-308 // 
            
            
            
            CNVD: CNVD-2020-17485 // 
            
            
            
            JVNDB: JVNDB-2020-003024 // 
            
            
            
            CNNVD: CNNVD-202003-1033

EXTERNAL IDS
db:NVDid:CVE-2020-7002
Trust: 5.0
db:ICS CERTid:ICSA-20-077-01
Trust: 3.0
db:ZDIid:ZDI-20-309
Trust: 1.3
db:CNVDid:CNVD-2020-17485
Trust: 1.2
db:CNNVDid:CNNVD-202003-1033
Trust: 1.2
db:JVNDBid:JVNDB-2020-003024
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-10413
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-10141
Trust: 0.7
db:ZDIid:ZDI-20-308
Trust: 0.7
db:NSFOCUSid:47404
Trust: 0.6
db:AUSCERTid:ESB-2020.0991
Trust: 0.6
db:IVDid:2D4D5279-EF12-4D99-B4EF-98A6E8D5AAA5
Trust: 0.2
db:IVDid:4D70E356-98DD-43F5-983C-C347917A0373
Trust: 0.2
db:IVDid:15506B49-3668-4C35-8A59-F69B72198906
Trust: 0.2
sources:
            
            
            IVD: 2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5 // 
            
            
            
            IVD: 4d70e356-98dd-43f5-983c-c347917a0373 // 
            
            
            
            IVD: 15506b49-3668-4c35-8a59-f69b72198906 // 
            
            
            
            ZDI: ZDI-20-309 // 
            
            
            
            ZDI: ZDI-20-308 // 
            
            
            
            CNVD: CNVD-2020-17485 // 
            
            
            
            JVNDB: JVNDB-2020-003024 // 
            
            
            
            CNNVD: CNNVD-202003-1033 // 
            
            
            
            NVD: CVE-2020-7002

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-20-077-01
Trust: 4.4
url:https://nvd.nist.gov/vuln/detail/cve-2020-7002
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-7002
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0991/
Trust: 0.6
url:https://www.zerodayinitiative.com/advisories/zdi-20-309/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/47404
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-309 // 
            
            
            
            ZDI: ZDI-20-308 // 
            
            
            
            CNVD: CNVD-2020-17485 // 
            
            
            
            JVNDB: JVNDB-2020-003024 // 
            
            
            
            CNNVD: CNNVD-202003-1033 // 
            
            
            
            NVD: CVE-2020-7002

CREDITS
kimiya
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-309

SOURCES
db:IVDid:2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5
db:IVDid:4d70e356-98dd-43f5-983c-c347917a0373
db:IVDid:15506b49-3668-4c35-8a59-f69b72198906
db:ZDIid:ZDI-20-309
db:ZDIid:ZDI-20-308
db:CNVDid:CNVD-2020-17485
db:JVNDBid:JVNDB-2020-003024
db:CNNVDid:CNNVD-202003-1033
db:NVDid:CVE-2020-7002

LAST UPDATE DATE
2024-11-23T22:11:35.466000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-309date:2020-03-17T00:00:00
db:ZDIid:ZDI-20-308date:2020-03-17T00:00:00
db:CNVDid:CNVD-2020-17485date:2020-03-18T00:00:00
db:JVNDBid:JVNDB-2020-003024date:2020-04-01T00:00:00
db:CNNVDid:CNNVD-202003-1033date:2020-08-05T00:00:00
db:NVDid:CVE-2020-7002date:2024-11-21T05:36:28.213

SOURCES RELEASE DATE
db:IVDid:2d4d5279-ef12-4d99-b4ef-98a6e8d5aaa5date:2020-03-17T00:00:00
db:IVDid:4d70e356-98dd-43f5-983c-c347917a0373date:2020-03-17T00:00:00
db:IVDid:15506b49-3668-4c35-8a59-f69b72198906date:2020-03-17T00:00:00
db:ZDIid:ZDI-20-309date:2020-03-17T00:00:00
db:ZDIid:ZDI-20-308date:2020-03-17T00:00:00
db:CNVDid:CNVD-2020-17485date:2020-03-18T00:00:00
db:JVNDBid:JVNDB-2020-003024date:2020-04-01T00:00:00
db:CNNVDid:CNNVD-202003-1033date:2020-03-17T00:00:00
db:NVDid:CVE-2020-7002date:2020-03-18T13:15:12.497