Sign-up

ID

VAR-202108-0792


CVE

CVE-2021-32947


TITLE

FATEK Automation  Made  FvDesigner  Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-002266

DESCRIPTION

FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. FATEK Automation Provided by the company FvDesigner Is FATEK FVHMI A software tool used to design and develop series product projects. FvDesigner The following multiple vulnerabilities exist in. * Uninitialized pointer access ( CWE-824 ) - CVE-2021-32931 ‥ * Stack-based buffer overflow ( CWE-121 ) - CVE-2021-32947 ‥ * Out-of-bounds writing ( CWE-787 ) - CVE-2021-32939The expected impact depends on each vulnerability, but it may be affected as follows. * Arbitrary code execution by processing project files crafted by a third party - CVE-2021-32931 , CVE-2021-32939 ‥ * Arbitrary code executed by a third party - CVE-2021-32947. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. FATEK Automation FvDesigner is a human-computer interaction device of FATEK. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 3.42

sources: NVD: CVE-2021-32947 // JVNDB: JVNDB-2021-002266 // ZDI: ZDI-21-1029 // CNVD: CNVD-2021-70166 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32947

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-70166

AFFECTED PRODUCTS

vendor:fatekmodel:fvdesignerscope:lteversion:1.5.88

Trust: 1.0

vendor:fatek automationmodel:fvdesignerscope:eqversion: -

Trust: 0.8

vendor:fatek automationmodel:fvdesignerscope:lteversion:1.5.88 and earlier

Trust: 0.8

vendor:fatek automationmodel:fvdesignerscope: - version: -

Trust: 0.7

vendor:fatekmodel:automation fvdesignerscope:lteversion:<=1.5.88

Trust: 0.6

sources: ZDI: ZDI-21-1029 // CNVD: CNVD-2021-70166 // JVNDB: JVNDB-2021-002266 // NVD: CVE-2021-32947

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-32947
value: HIGH

Trust: 1.0

OTHER: JVNDB-2021-002266
value: HIGH

Trust: 0.8

ZDI: CVE-2021-32947
value: HIGH

Trust: 0.7

CNVD: CNVD-2021-70166
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-479
value: HIGH

Trust: 0.6

VULMON: CVE-2021-32947
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32947
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2021-70166
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-32947
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2021-002266
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2021-32947
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-21-1029 // CNVD: CNVD-2021-70166 // VULMON: CVE-2021-32947 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-479 // NVD: CVE-2021-32947

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Stack-based buffer overflow (CWE-121) [ Other ]

Trust: 0.8

problemtype: Out-of-bounds writing (CWE-787) [ Other ]

Trust: 0.8

problemtype: Accessing uninitialized pointers (CWE-824) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-002266 // NVD: CVE-2021-32947

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202108-479

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Contact Usurl:https://www.fatek.com/en/contact_us.php

Trust: 0.8

title:Fatek Automation has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02

Trust: 0.7

title:Patch for FATEK Automation FvDesigner stack buffer overflow vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/290611

Trust: 0.6

title:FATEK Automation FvDesigner Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158764

Trust: 0.6

sources: ZDI: ZDI-21-1029 // CNVD: CNVD-2021-70166 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202108-479

EXTERNAL IDS

db:NVDid:CVE-2021-32947

Trust: 3.8

db:ICS CERTid:ICSA-21-217-02

Trust: 2.5

db:ZDIid:ZDI-21-1029

Trust: 2.4

db:JVNid:JVNVU99370832

Trust: 0.8

db:JVNDBid:JVNDB-2021-002266

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13398

Trust: 0.7

db:CNVDid:CNVD-2021-70166

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.2660

Trust: 0.6

db:CS-HELPid:SB2021080604

Trust: 0.6

db:CNNVDid:CNNVD-202108-479

Trust: 0.6

db:VULMONid:CVE-2021-32947

Trust: 0.1

sources: ZDI: ZDI-21-1029 // CNVD: CNVD-2021-70166 // VULMON: CVE-2021-32947 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-479 // NVD: CVE-2021-32947

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02

Trust: 3.8

url:https://www.zerodayinitiative.com/advisories/zdi-21-1029/

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-32947

Trust: 1.2

url:http://jvn.jp/cert/jvnvu99370832

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021080604

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2660

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/121.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: ZDI: ZDI-21-1029 // CNVD: CNVD-2021-70166 // VULMON: CVE-2021-32947 // JVNDB: JVNDB-2021-002266 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-479 // NVD: CVE-2021-32947

CREDITS

Anonymous

Trust: 1.3

sources: ZDI: ZDI-21-1029 // CNNVD: CNNVD-202108-479

SOURCES

db:ZDIid:ZDI-21-1029
db:CNVDid:CNVD-2021-70166
db:VULMONid:CVE-2021-32947
db:JVNDBid:JVNDB-2021-002266
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-479
db:NVDid:CVE-2021-32947

LAST UPDATE DATE

2024-08-14T12:51:44.008000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-1029date:2021-08-27T00:00:00
db:CNVDid:CNVD-2021-70166date:2021-09-12T00:00:00
db:VULMONid:CVE-2021-32947date:2021-08-27T00:00:00
db:JVNDBid:JVNDB-2021-002266date:2021-08-10T07:08:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-479date:2021-08-30T00:00:00
db:NVDid:CVE-2021-32947date:2021-09-21T18:16:30.307

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-1029date:2021-08-27T00:00:00
db:CNVDid:CNVD-2021-70166date:2021-09-12T00:00:00
db:VULMONid:CVE-2021-32947date:2021-08-11T00:00:00
db:JVNDBid:JVNDB-2021-002266date:2021-08-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-479date:2021-08-05T00:00:00
db:NVDid:CVE-2021-32947date:2021-08-11T13:15:16.343