Sign-up

ID

VAR-202108-0789


CVE

CVE-2021-32931


TITLE

Fatek Automation FvDesigner FPJ File Parsing Uninitialized Pointer Remote Code Execution Vulnerability

Trust: 1.4

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027

DESCRIPTION

An uninitialized pointer in FATEK Automation FvDesigner, Versions 1.5.88 and prior may be exploited while the application is processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution. FATEK Automation Provided by the company FvDesigner Is FATEK FVHMI A software tool used to design and develop series product projects. FvDesigner The following multiple vulnerabilities exist in. * Uninitialized pointer access ( CWE-824 ) - CVE-2021-32931 ‥ * Stack-based buffer overflow ( CWE-121 ) - CVE-2021-32947 ‥ * Out-of-bounds writing ( CWE-787 ) - CVE-2021-32939The expected impact depends on each vulnerability, but it may be affected as follows. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. FATEK Automation FvDesigner is a human-computer interaction device of FATEK Automation. FATEK Automation FvDesigner 1.5.88 and earlier versions have a buffer overflow vulnerability. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 4.05

sources: NVD: CVE-2021-32931 // JVNDB: JVNDB-2021-002266 // ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNVD: CNVD-2021-70167 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32931

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-70167

AFFECTED PRODUCTS

vendor:fatek automationmodel:fvdesignerscope: - version: -

Trust: 1.4

vendor:fatekmodel:fvdesignerscope:lteversion:1.5.88

Trust: 1.0

vendor:fatek automationmodel:fvdesignerscope:eqversion: -

Trust: 0.8

vendor:fatek automationmodel:fvdesignerscope:lteversion:1.5.88 and earlier

Trust: 0.8

vendor:fatekmodel:automation fvdesignerscope:lteversion:<=1.5.88

Trust: 0.6

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNVD: CNVD-2021-70167 // JVNDB: JVNDB-2021-002266 // NVD: CVE-2021-32931

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2021-32931
value: HIGH

Trust: 1.4

nvd@nist.gov: CVE-2021-32931
value: HIGH

Trust: 1.0

OTHER: JVNDB-2021-002266
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-70167
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-490
value: HIGH

Trust: 0.6

VULMON: CVE-2021-32931
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32931
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2021-70167
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

ZDI: CVE-2021-32931
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2021-32931
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2021-002266
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNVD: CNVD-2021-70167 // VULMON: CVE-2021-32931 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-490 // NVD: CVE-2021-32931

PROBLEMTYPE DATA

problemtype:CWE-824

Trust: 1.0

problemtype:Stack-based buffer overflow (CWE-121) [ Other ]

Trust: 0.8

problemtype: Out-of-bounds writing (CWE-787) [ Other ]

Trust: 0.8

problemtype: Accessing uninitialized pointers (CWE-824) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-002266 // NVD: CVE-2021-32931

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202108-490

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Fatek Automation has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02

Trust: 1.4

title:Contact Usurl:https://www.fatek.com/en/contact_us.php

Trust: 0.8

title:Patch for FATEK Automation FvDesigner buffer overflow vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/290606

Trust: 0.6

title:FATEK Automation FvDesigner Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158775

Trust: 0.6

title:CVE-2021-32931url:https://github.com/AlAIAL90/CVE-2021-32931

Trust: 0.1

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNVD: CNVD-2021-70167 // VULMON: CVE-2021-32931 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202108-490

EXTERNAL IDS

db:NVDid:CVE-2021-32931

Trust: 4.5

db:ICS CERTid:ICSA-21-217-02

Trust: 2.5

db:ZDIid:ZDI-21-1030

Trust: 2.4

db:ZDIid:ZDI-21-1027

Trust: 2.4

db:JVNid:JVNVU99370832

Trust: 0.8

db:JVNDBid:JVNDB-2021-002266

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13400

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-13388

Trust: 0.7

db:CNVDid:CNVD-2021-70167

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.2660

Trust: 0.6

db:CS-HELPid:SB2021080604

Trust: 0.6

db:CNNVDid:CNNVD-202108-490

Trust: 0.6

db:VULMONid:CVE-2021-32931

Trust: 0.1

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNVD: CNVD-2021-70167 // VULMON: CVE-2021-32931 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-490 // NVD: CVE-2021-32931

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02

Trust: 4.5

url:https://www.zerodayinitiative.com/advisories/zdi-21-1030/

Trust: 2.3

url:https://www.zerodayinitiative.com/advisories/zdi-21-1027/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-32931

Trust: 1.2

url:http://jvn.jp/cert/jvnvu99370832

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021080604

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2660

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/824.html

Trust: 0.1

url:https://github.com/alaial90/cve-2021-32931

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNVD: CNVD-2021-70167 // VULMON: CVE-2021-32931 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-490 // NVD: CVE-2021-32931

CREDITS

Anonymous

Trust: 2.0

sources: ZDI: ZDI-21-1030 // ZDI: ZDI-21-1027 // CNNVD: CNNVD-202108-490

SOURCES

db:ZDIid:ZDI-21-1030
db:ZDIid:ZDI-21-1027
db:CNVDid:CNVD-2021-70167
db:VULMONid:CVE-2021-32931
db:JVNDBid:JVNDB-2021-002266
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-490
db:NVDid:CVE-2021-32931

LAST UPDATE DATE

2024-08-14T12:37:54.477000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-1030date:2021-08-27T00:00:00
db:ZDIid:ZDI-21-1027date:2021-08-27T00:00:00
db:CNVDid:CNVD-2021-70167date:2021-09-12T00:00:00
db:VULMONid:CVE-2021-32931date:2021-08-27T00:00:00
db:JVNDBid:JVNDB-2021-002266date:2021-08-10T07:08:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-490date:2021-08-30T00:00:00
db:NVDid:CVE-2021-32931date:2021-09-21T18:16:46.977

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-1030date:2021-08-27T00:00:00
db:ZDIid:ZDI-21-1027date:2021-08-27T00:00:00
db:CNVDid:CNVD-2021-70167date:2021-09-12T00:00:00
db:VULMONid:CVE-2021-32931date:2021-08-11T00:00:00
db:JVNDBid:JVNDB-2021-002266date:2021-08-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-490date:2021-08-05T00:00:00
db:NVDid:CVE-2021-32931date:2021-08-11T13:15:16.137