var-201411-0420
Vulnerability from variot
Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the RA.ViewElements.Grid.1 ActiveXControl method. By providing a malicious value to the LeftXOffset property, an attacker can write a four byte null value to an arbitrary location. An attacker could use this to execute arbitrary code in the context of the browser. Rockwell Automation CCW is an HMI editor and component-level industrial product for designing and configuring applications and implementing microcontrollers. Failed exploit attempts will likely result in denial-of-service conditions. Rockwell Automation CCW 6.01.00 and prior are vulnerable. The software can be used for controller programming and device configuration, and is integrated with an HMI editor to further simplify stand-alone device programming. A security vulnerability exists in Rockwell Automation CCW versions prior to 7.00.00 due to the program using an older version of the compiler to create custom ActiveX components
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "connected components workbench",
"scope": null,
"trust": 1.4,
"vendor": "rockwell automation",
"version": null
},
{
"_id": null,
"model": "connected components workbench",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "6.01.00"
},
{
"_id": null,
"model": "connected components workbench",
"scope": "lt",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "7.00.00"
},
{
"_id": null,
"model": "software rockwell automation ccw",
"scope": "lte",
"trust": 0.6,
"vendor": "rockwell",
"version": "\u003c=6.01.00"
},
{
"_id": null,
"model": "connected components workbench",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "6.01.00"
},
{
"_id": null,
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "connected components workbench",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
},
{
"db": "NVD",
"id": "CVE-2014-5424"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:rockwellautomation:connected_components_workbench",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
}
]
},
"credits": {
"_id": null,
"data": "Andrea Micalizzi (rgod)",
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
}
],
"trust": 1.4
},
"cve": "CVE-2014-5424",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2014-5424",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 3.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-08308",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-73365",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "ZDI",
"id": "CVE-2014-5424",
"trust": 1.4,
"value": "HIGH"
},
{
"author": "nvd@nist.gov",
"id": "CVE-2014-5424",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-5424",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2014-08308",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201411-206",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-73365",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "VULHUB",
"id": "VHN-73365"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
},
{
"db": "NVD",
"id": "CVE-2014-5424"
}
]
},
"description": {
"_id": null,
"data": "Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the RA.ViewElements.Grid.1 ActiveXControl method. By providing a malicious value to the LeftXOffset property, an attacker can write a four byte null value to an arbitrary location. An attacker could use this to execute arbitrary code in the context of the browser. Rockwell Automation CCW is an HMI editor and component-level industrial product for designing and configuring applications and implementing microcontrollers. Failed exploit attempts will likely result in denial-of-service conditions. \nRockwell Automation CCW 6.01.00 and prior are vulnerable. The software can be used for controller programming and device configuration, and is integrated with an HMI editor to further simplify stand-alone device programming. A security vulnerability exists in Rockwell Automation CCW versions prior to 7.00.00 due to the program using an older version of the compiler to create custom ActiveX components",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-5424"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "BID",
"id": "71052"
},
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-73365"
}
],
"trust": 3.96
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2014-5424",
"trust": 5.0
},
{
"db": "ICS CERT",
"id": "ICSA-14-294-01",
"trust": 3.1
},
{
"db": "BID",
"id": "71052",
"trust": 1.0
},
{
"db": "CNVD",
"id": "CNVD-2014-08308",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-2418",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-14-384",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-2417",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-14-383",
"trust": 0.7
},
{
"db": "IVD",
"id": "B9014A1C-2351-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-73365",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "VULHUB",
"id": "VHN-73365"
},
{
"db": "BID",
"id": "71052"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
},
{
"db": "NVD",
"id": "CVE-2014-5424"
}
]
},
"id": "VAR-201411-0420",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "VULHUB",
"id": "VHN-73365"
}
],
"trust": 1.6410714350000002
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
}
]
},
"last_update_date": "2024-11-23T22:52:49.754000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Rockwell Automation has issued an update to correct this vulnerability.",
"trust": 1.4,
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-294-01"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.rockwellautomation.com/"
},
{
"title": "\u30c8\u30c3\u30d7\u30da\u30fc\u30b8",
"trust": 0.8,
"url": "http://www.rockwellautomation.com/jpn/overview.page"
},
{
"title": "Rockwell Automation Connected Components Workbench has multiple patches for arbitrary code execution vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/51910"
},
{
"title": "7.00.00-CCW-Std-DVD-PartD",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52441"
},
{
"title": "7.00.00-CCW-Std-DVD-PartC",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52440"
},
{
"title": "7.00.00-CCW-Std-DVD-PartG",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52444"
},
{
"title": "7.00.00-CCW-Std-DVD-PartB",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52439"
},
{
"title": "7.00.00-CCW-Std-DVD-PartF",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52443"
},
{
"title": "7.00.00-CCW-Std-DVD-PartA",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52438"
},
{
"title": "7.00.00-CCW-Std-DVD-PartE",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52442"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-73365"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "NVD",
"id": "CVE-2014-5424"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 4.5,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-14-294-01"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5424"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5424"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-384"
},
{
"db": "ZDI",
"id": "ZDI-14-383"
},
{
"db": "CNVD",
"id": "CNVD-2014-08308"
},
{
"db": "VULHUB",
"id": "VHN-73365"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
},
{
"db": "NVD",
"id": "CVE-2014-5424"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-14-384",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-14-383",
"ident": null
},
{
"db": "CNVD",
"id": "CNVD-2014-08308",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-73365",
"ident": null
},
{
"db": "BID",
"id": "71052",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005454",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201411-206",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2014-5424",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2014-11-17T00:00:00",
"db": "IVD",
"id": "b9014a1c-2351-11e6-abef-000c29c66e3d",
"ident": null
},
{
"date": "2014-11-19T00:00:00",
"db": "ZDI",
"id": "ZDI-14-384",
"ident": null
},
{
"date": "2014-11-19T00:00:00",
"db": "ZDI",
"id": "ZDI-14-383",
"ident": null
},
{
"date": "2014-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-08308",
"ident": null
},
{
"date": "2014-11-14T00:00:00",
"db": "VULHUB",
"id": "VHN-73365",
"ident": null
},
{
"date": "2014-11-11T00:00:00",
"db": "BID",
"id": "71052",
"ident": null
},
{
"date": "2014-11-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005454",
"ident": null
},
{
"date": "2014-11-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201411-206",
"ident": null
},
{
"date": "2014-11-14T00:59:00.133000",
"db": "NVD",
"id": "CVE-2014-5424",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2014-11-19T00:00:00",
"db": "ZDI",
"id": "ZDI-14-384",
"ident": null
},
{
"date": "2014-11-19T00:00:00",
"db": "ZDI",
"id": "ZDI-14-383",
"ident": null
},
{
"date": "2014-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-08308",
"ident": null
},
{
"date": "2014-11-14T00:00:00",
"db": "VULHUB",
"id": "VHN-73365",
"ident": null
},
{
"date": "2014-11-24T00:56:00",
"db": "BID",
"id": "71052",
"ident": null
},
{
"date": "2014-11-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005454",
"ident": null
},
{
"date": "2014-11-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201411-206",
"ident": null
},
{
"date": "2024-11-21T02:12:01.360000",
"db": "NVD",
"id": "CVE-2014-5424",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Rockwell Automation Connected Components Workbench Service disruption in (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005454"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201411-206"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…