Details of VAR-202108-0790

ID

VAR-202108-0790

CVE

CVE-2021-32939

TITLE

FATEK Automation Made FvDesigner Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-002266

DESCRIPTION

FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to an out-of-bounds write while processing project files, allowing an attacker to craft a project file that may permit arbitrary code execution. FATEK Automation Provided by the company FvDesigner Is FATEK FVHMI A software tool used to design and develop series product projects. FvDesigner The following multiple vulnerabilities exist in. * Uninitialized pointer access ( CWE-824 ) - CVE-2021-32931 ‥ * Stack-based buffer overflow ( CWE-121 ) - CVE-2021-32947 ‥ * Out-of-bounds writing ( CWE-787 ) - CVE-2021-32939The expected impact depends on each vulnerability, but it may be affected as follows. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. FATEK Automation FvDesigner is a human-computer interaction device of FATEK. FATEK Automation FvDesigner 1.5.88 and earlier versions have security vulnerabilities. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 3.42

sources: NVD: CVE-2021-32939 // JVNDB: JVNDB-2021-002266 // ZDI: ZDI-21-1028 // CNVD: CNVD-2021-70165 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32939

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-70165

AFFECTED PRODUCTS

vendor:	fatek	model:	fvdesigner	scope:	lte	version:	1.5.88	Trust: 1.0
vendor:	fatek automation	model:	fvdesigner	scope:	eq	version:	-	Trust: 0.8
vendor:	fatek automation	model:	fvdesigner	scope:	lte	version:	1.5.88 and earlier	Trust: 0.8
vendor:	fatek automation	model:	fvdesigner	scope:	-	version:	-	Trust: 0.7
vendor:	fatek	model:	automation fvdesigner	scope:	lte	version:	<=1.5.88	Trust: 0.6

sources: ZDI: ZDI-21-1028 // CNVD: CNVD-2021-70165 // JVNDB: JVNDB-2021-002266 // NVD: CVE-2021-32939

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32939
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2021-002266
value:	HIGH
Trust: 0.8
ZDI:	CVE-2021-32939
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2021-70165
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-460
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-32939
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-32939
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-70165
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-32939
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2021-002266
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2021-32939
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-1028 // CNVD: CNVD-2021-70165 // VULMON: CVE-2021-32939 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-460 // NVD: CVE-2021-32939

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	Stack-based buffer overflow (CWE-121) [ Other ]	Trust: 0.8
problemtype:	Out-of-bounds writing (CWE-787) [ Other ]	Trust: 0.8
problemtype:	Accessing uninitialized pointers (CWE-824) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-002266 // NVD: CVE-2021-32939

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202108-460

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Contact Us	url:	https://www.fatek.com/en/contact_us.php	Trust: 0.8
title:	Fatek Automation has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02	Trust: 0.7

sources: ZDI: ZDI-21-1028 // JVNDB: JVNDB-2021-002266

EXTERNAL IDS

db:	NVD	id:	CVE-2021-32939	Trust: 3.8
db:	ICS CERT	id:	ICSA-21-217-02	Trust: 2.5
db:	ZDI	id:	ZDI-21-1028	Trust: 2.4
db:	JVN	id:	JVNVU99370832	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-002266	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-13392	Trust: 0.7
db:	CNVD	id:	CNVD-2021-70165	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2660	Trust: 0.6
db:	CS-HELP	id:	SB2021080604	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-460	Trust: 0.6
db:	VULMON	id:	CVE-2021-32939	Trust: 0.1

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02	Trust: 3.8
url:	https://www.zerodayinitiative.com/advisories/zdi-21-1028/	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32939	Trust: 1.2
url:	http://jvn.jp/cert/jvnvu99370832	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080604	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2660	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

CREDITS

Anonymous

Trust: 1.3

sources: ZDI: ZDI-21-1028 // CNNVD: CNNVD-202108-460

SOURCES

db:	ZDI	id:	ZDI-21-1028
db:	CNVD	id:	CNVD-2021-70165
db:	VULMON	id:	CVE-2021-32939
db:	JVNDB	id:	JVNDB-2021-002266
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-460
db:	NVD	id:	CVE-2021-32939

LAST UPDATE DATE

2024-08-14T12:55:03.205000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-1028	date:	2021-08-27T00:00:00
db:	CNVD	id:	CNVD-2021-70165	date:	2021-09-13T00:00:00
db:	VULMON	id:	CVE-2021-32939	date:	2021-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2021-002266	date:	2021-08-10T07:08:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-460	date:	2021-08-30T00:00:00
db:	NVD	id:	CVE-2021-32939	date:	2021-09-21T18:16:41.780

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-1028	date:	2021-08-27T00:00:00
db:	CNVD	id:	CNVD-2021-70165	date:	2021-09-12T00:00:00
db:	VULMON	id:	CVE-2021-32939	date:	2021-08-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-002266	date:	2021-08-10T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-460	date:	2021-08-05T00:00:00
db:	NVD	id:	CVE-2021-32939	date:	2021-08-11T13:15:16.243