cvelistv5 - CVE-2021-22712

CVE-2021-22712 (GCVE-0-2021-22712)

Vulnerability from cvelistv5 – Published: 2021-03-11 20:25 – Updated: 2024-08-03 18:51

Summary

Severity ?

No CVSS data available.

CWE

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Assigner

schneider

References

URL

Tags

	https://www.se.com/ww/en/download/document/SEVD-2…	x_refsource_MISC
	https://download.schneider-electric.com/files?p_D…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior	Affected: Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:51:07.130Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-11T20:25:07",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2021-22712",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01",
              "refsource": "MISC",
              "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
            },
            {
              "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01",
              "refsource": "MISC",
              "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2021-22712",
    "datePublished": "2021-03-11T20:25:07",
    "dateReserved": "2021-01-06T00:00:00",
    "dateUpdated": "2024-08-03T18:51:07.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"15.0.0.21041\", \"matchCriteriaId\": \"3CC174AC-AAAA-4BA4-B23F-F6F08103EF38\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address.\"}, {\"lang\": \"es\", \"value\": \"Una CWE-119: se presenta una vulnerabilidad de Restricci\\u00f3n Inapropiada de Operaciones dentro de los L\\u00edmites de un B\\u00fafer de Memoria en Interactive Graphical SCADA System (IGSS) Definition (Def.exe) versiones V15.0.0.21041 y anteriores, que podr\\u00eda resultar en condiciones de lectura o escritura arbitrarias cuando un archivo CGF (Configuration Group File) malicioso es importado a una IGSS Definition debido a una direcci\\u00f3n de puntero no marcada\"}]",
      "id": "CVE-2021-22712",
      "lastModified": "2024-11-21T05:50:30.813",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 9.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-03-11T21:15:12.327",
      "references": "[{\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.se.com/ww/en/download/document/SEVD-2021-068-01\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Broken Link\", \"Vendor Advisory\"]}, {\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.se.com/ww/en/download/document/SEVD-2021-068-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "cybersecurity@se.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@se.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-119\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-22712\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2021-03-11T21:15:12.327\",\"lastModified\":\"2024-11-21T05:50:30.813\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address.\"},{\"lang\":\"es\",\"value\":\"Una CWE-119: se presenta una vulnerabilidad de Restricci\u00f3n Inapropiada de Operaciones dentro de los L\u00edmites de un B\u00fafer de Memoria en Interactive Graphical SCADA System (IGSS) Definition (Def.exe) versiones V15.0.0.21041 y anteriores, que podr\u00eda resultar en condiciones de lectura o escritura arbitrarias cuando un archivo CGF (Configuration Group File) malicioso es importado a una IGSS Definition debido a una direcci\u00f3n de puntero no marcada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"15.0.0.21041\",\"matchCriteriaId\":\"3CC174AC-AAAA-4BA4-B23F-F6F08103EF38\"}]}]}],\"references\":[{\"url\":\"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.se.com/ww/en/download/document/SEVD-2021-068-01\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Broken Link\",\"Vendor Advisory\"]},{\"url\":\"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.se.com/ww/en/download/document/SEVD-2021-068-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2021-31178

Vulnerability from cnvd - Published: 2021-04-26

Title

Schneider Electric Interactive Graphical SCADA System缓冲区溢出漏洞（CNVD-2021-31178）

Description

Schneider Electric Interactive Graphical SCADA System（IGSS）是法国施耐德电气（Schneider Electric）公司的一套用于监控和控制工业过程的SCADA（数据采集与监控系统）系统。 Interactive Graphical SCADA System (IGSS) Definition V15.0.0.21041及之前版本存在缓冲区溢出漏洞。该漏洞源于程序未对指针地址进行正确验证。攻击者可通过导入恶意CGF（配置组文件）利用该漏洞导致任意读取和写入。

Severity

高

Patch Name

Schneider Electric Interactive Graphical SCADA System缓冲区溢出漏洞（CNVD-2021-31178）的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01

Reference

https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01

Impacted products

Name
Schneider Electric Interactive Graphical SCADA System (IGSS) Definition <=V15.0.0.21041

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-22712",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-22712"
    }
  },
  "description": "Schneider Electric Interactive Graphical SCADA System\uff08IGSS\uff09\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u76d1\u63a7\u548c\u63a7\u5236\u5de5\u4e1a\u8fc7\u7a0b\u7684SCADA\uff08\u6570\u636e\u91c7\u96c6\u4e0e\u76d1\u63a7\u7cfb\u7edf\uff09\u7cfb\u7edf\u3002\n\nInteractive Graphical SCADA System (IGSS) Definition V15.0.0.21041\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u6307\u9488\u5730\u5740\u8fdb\u884c\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5bfc\u5165\u6076\u610fCGF\uff08\u914d\u7f6e\u7ec4\u6587\u4ef6\uff09\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u8bfb\u53d6\u548c\u5199\u5165\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-31178",
  "openTime": "2021-04-26",
  "patchDescription": "Schneider Electric Interactive Graphical SCADA System\uff08IGSS\uff09\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u76d1\u63a7\u548c\u63a7\u5236\u5de5\u4e1a\u8fc7\u7a0b\u7684SCADA\uff08\u6570\u636e\u91c7\u96c6\u4e0e\u76d1\u63a7\u7cfb\u7edf\uff09\u7cfb\u7edf\u3002\r\n\r\nInteractive Graphical SCADA System (IGSS) Definition V15.0.0.21041\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5bf9\u6307\u9488\u5730\u5740\u8fdb\u884c\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5bfc\u5165\u6076\u610fCGF\uff08\u914d\u7f6e\u7ec4\u6587\u4ef6\uff09\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u8bfb\u53d6\u548c\u5199\u5165\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Schneider Electric Interactive Graphical SCADA System\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-31178\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Schneider Electric Interactive Graphical SCADA System (IGSS) Definition \u003c=V15.0.0.21041"
  },
  "referenceLink": "https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01",
  "serverity": "\u9ad8",
  "submitTime": "2021-03-15",
  "title": "Schneider Electric Interactive Graphical SCADA System\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-31178\uff09"
}

ICSA-21-070-01

Vulnerability from csaf_cisa - Published: 2021-03-11 00:00 - Updated: 2021-03-11 00:00

Summary

Schneider Electric IGSS SCADA Software

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could result in remote code execution.

Critical infrastructure sectors

Commercial Facilities, Critical Manufacturing, Energy

Countries/areas deployed

Worldwide

Company headquarters location

France

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

\No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Kimiya"
        ],
        "organization": "Trend Micro \u0027s Zero Day Initiative",
        "summary": "reporting these vulnerabilities to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could result in remote code execution.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Commercial Facilities, Critical Manufacturing, Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "France",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "\\No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-21-070-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-070-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-21-070-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-070-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ncas/tips/ST04-014"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Schneider Electric IGSS SCADA Software",
    "tracking": {
      "current_release_date": "2021-03-11T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-21-070-01",
      "initial_release_date": "2021-03-11T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2021-03-11T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-21-070-01 Schneider Electric IGSS SCADA Software"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 15.0.0.21041",
                "product": {
                  "name": "IGSS Definition (Def.exe): Version 15.0.0.21041 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "IGSS Definition (Def.exe)"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric Software, LLC"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-22709",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "This vulnerability could result in loss of data or remote code execution when a malicious CGF (configuration group file) file is imported into an IGSS Definition.CVE-2021-22709 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22709"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has provided Version 15.0.0.21042 of the IGSS Definition module: Def.exe to address these vulnerabilities. The update is available for download through IGSS Master \u003e Update IGSS Software or from the Schneider Electric support page.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://igss.schneider-electric.com/igss/igssupdates/v150/IGSSUPDATE.ZIP"
        },
        {
          "category": "mitigation",
          "details": "Avoid importing CGF files from untrusted sources.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, see the Schneider Electric security notification.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2021-22710",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "This vulnerability could result in loss of data or remote code execution when a malicious CGF file is imported into an IGSS Definition.CVE-2021-22710 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22710"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has provided Version 15.0.0.21042 of the IGSS Definition module: Def.exe to address these vulnerabilities. The update is available for download through IGSS Master \u003e Update IGSS Software or from the Schneider Electric support page.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://igss.schneider-electric.com/igss/igssupdates/v150/IGSSUPDATE.ZIP"
        },
        {
          "category": "mitigation",
          "details": "Avoid importing CGF files from untrusted sources.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, see the Schneider Electric security notification.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2021-22711",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "This vulnerability could result in arbitrary read or write conditions due to missing validation of input data when a malicious CGF file is imported into an IGSS Definition.CVE-2021-22711 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22711"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has provided Version 15.0.0.21042 of the IGSS Definition module: Def.exe to address these vulnerabilities. The update is available for download through IGSS Master \u003e Update IGSS Software or from the Schneider Electric support page.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://igss.schneider-electric.com/igss/igssupdates/v150/IGSSUPDATE.ZIP"
        },
        {
          "category": "mitigation",
          "details": "Avoid importing CGF files from untrusted sources.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, see the Schneider Electric security notification.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2021-22712",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "This vulnerability could result in arbitrary read or write conditions due to an unchecked pointer address when a malicious CGF file is imported into an IGSS Definition.CVE-2021-22712 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22712"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has provided Version 15.0.0.21042 of the IGSS Definition module: Def.exe to address these vulnerabilities. The update is available for download through IGSS Master \u003e Update IGSS Software or from the Schneider Electric support page.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://igss.schneider-electric.com/igss/igssupdates/v150/IGSSUPDATE.ZIP"
        },
        {
          "category": "mitigation",
          "details": "Avoid importing CGF files from untrusted sources.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, see the Schneider Electric security notification.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

FKIE_CVE-2021-22712

Vulnerability from fkie_nvd - Published: 2021-03-11 21:15 - Updated: 2024-11-21 05:50

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cybersecurity@se.com	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01	Patch, Vendor Advisory
cybersecurity@se.com	https://www.se.com/ww/en/download/document/SEVD-2021-068-01	Broken Link, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.se.com/ww/en/download/document/SEVD-2021-068-01	Broken Link, Vendor Advisory

Impacted products

	Vendor	Product	Version
	schneider-electric	interactive_graphical_scada_system	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CC174AC-AAAA-4BA4-B23F-F6F08103EF38",
              "versionEndIncluding": "15.0.0.21041",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address."
    },
    {
      "lang": "es",
      "value": "Una CWE-119: se presenta una vulnerabilidad de Restricci\u00f3n Inapropiada de Operaciones dentro de los L\u00edmites de un B\u00fafer de Memoria en Interactive Graphical SCADA System (IGSS) Definition (Def.exe) versiones V15.0.0.21041 y anteriores, que podr\u00eda resultar en condiciones de lectura o escritura arbitrarias cuando un archivo CGF (Configuration Group File) malicioso es importado a una IGSS Definition debido a una direcci\u00f3n de puntero no marcada"
    }
  ],
  "id": "CVE-2021-22712",
  "lastModified": "2024-11-21T05:50:30.813",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-11T21:15:12.327",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
    },
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Broken Link",
        "Vendor Advisory"
      ],
      "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Vendor Advisory"
      ],
      "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        }
      ],
      "source": "cybersecurity@se.com",
      "type": "Secondary"
    }
  ]
}

GSD-2021-22712

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-22712

Aliases

CVE-2021-22712

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-22712",
    "description": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address.",
    "id": "GSD-2021-22712"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-22712"
      ],
      "details": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address.",
      "id": "GSD-2021-22712",
      "modified": "2023-12-13T01:23:24.283132Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@schneider-electric.com",
        "ID": "CVE-2021-22712",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01",
            "refsource": "MISC",
            "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
          },
          {
            "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01",
            "refsource": "MISC",
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "15.0.0.21041",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2021-22712"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01",
              "refsource": "MISC",
              "tags": [
                "Broken Link",
                "Vendor Advisory"
              ],
              "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
            },
            {
              "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-03-17T20:23Z",
      "publishedDate": "2021-03-11T21:15Z"
    }
  }
}

CERTFR-2021-AVI-175

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
N/A	N/A	IGSS Definition (Def.exe) version antérieures à 15.0.0.21042
N/A	N/A	ION7400 versions antérieures à 3.0.0
N/A	N/A	ION8650 versions antérieures à 4.40.1
N/A	N/A	ION8800 versions antérieures à 372
N/A	N/A	ION7650 (Hardware rev. 5*) versions antérieures à 416
N/A	N/A	PM8000 versions antérieures à 3.0.0
N/A	N/A	ION7700/73xx toutes versions
N/A	N/A	ION83xx/84xx/85xx/8600 toutes versions
N/A	N/A	ION7650 (Hardware rev. 4 or earlier*) versions antérieures à 376
N/A	N/A	ION9000 versions antérieures à 3.0.0

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2021-068-02 du 09 mars 2021	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-068-01 du 09 mars 2021	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-068-03 du 09 mars 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IGSS Definition (Def.exe) version ant\u00e9rieures \u00e0 15.0.0.21042",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7400 versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION8650 versions ant\u00e9rieures \u00e0 4.40.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION8800 versions ant\u00e9rieures \u00e0 372",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7650 (Hardware rev. 5*) versions ant\u00e9rieures \u00e0 416",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "PM8000 versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7700/73xx toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION83xx/84xx/85xx/8600 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7650 (Hardware rev. 4 or earlier*) versions ant\u00e9rieures \u00e0 376",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION9000 versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-22712",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22712"
    },
    {
      "name": "CVE-2021-22709",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22709"
    },
    {
      "name": "CVE-2021-22713",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22713"
    },
    {
      "name": "CVE-2021-22710",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22710"
    },
    {
      "name": "CVE-2021-22714",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22714"
    },
    {
      "name": "CVE-2021-22711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22711"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-175",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-03-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-068-02 du 09 mars 2021",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-02"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-068-01 du 09 mars 2021",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-068-03 du 09 mars 2021",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-03"
    }
  ]
}

CERTFR-2021-AVI-175

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
N/A	N/A	IGSS Definition (Def.exe) version antérieures à 15.0.0.21042
N/A	N/A	ION7400 versions antérieures à 3.0.0
N/A	N/A	ION8650 versions antérieures à 4.40.1
N/A	N/A	ION8800 versions antérieures à 372
N/A	N/A	ION7650 (Hardware rev. 5*) versions antérieures à 416
N/A	N/A	PM8000 versions antérieures à 3.0.0
N/A	N/A	ION7700/73xx toutes versions
N/A	N/A	ION83xx/84xx/85xx/8600 toutes versions
N/A	N/A	ION7650 (Hardware rev. 4 or earlier*) versions antérieures à 376
N/A	N/A	ION9000 versions antérieures à 3.0.0

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2021-068-02 du 09 mars 2021	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-068-01 du 09 mars 2021	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-068-03 du 09 mars 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IGSS Definition (Def.exe) version ant\u00e9rieures \u00e0 15.0.0.21042",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7400 versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION8650 versions ant\u00e9rieures \u00e0 4.40.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION8800 versions ant\u00e9rieures \u00e0 372",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7650 (Hardware rev. 5*) versions ant\u00e9rieures \u00e0 416",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "PM8000 versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7700/73xx toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION83xx/84xx/85xx/8600 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION7650 (Hardware rev. 4 or earlier*) versions ant\u00e9rieures \u00e0 376",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "ION9000 versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-22712",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22712"
    },
    {
      "name": "CVE-2021-22709",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22709"
    },
    {
      "name": "CVE-2021-22713",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22713"
    },
    {
      "name": "CVE-2021-22710",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22710"
    },
    {
      "name": "CVE-2021-22714",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22714"
    },
    {
      "name": "CVE-2021-22711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22711"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-175",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-03-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-068-02 du 09 mars 2021",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-02"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-068-01 du 09 mars 2021",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-068-03 du 09 mars 2021",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-03"
    }
  ]
}

VAR-202103-0443

Vulnerability from variot - Updated: 2023-12-18 11:57

A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address. Interactive Graphical SCADA System (IGSS) Is vulnerable to a buffer error.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of CGF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Supervisory Control System) system used by French Schneider Electric (Schneider Electric) to monitor and control industrial processes.

Interactive Graphical SCADA System (IGSS) Definition V15.0.0.21041 and earlier versions have a buffer overflow vulnerability. The vulnerability stems from the program's failure to verify the pointer address correctly. Attackers can use this vulnerability to cause arbitrary reads and writes by importing malicious CGF (configuration group files)

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202103-0443",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "interactive graphical scada system",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "15.0.0.21041"
      },
      {
        "model": "interactive graphical scada system",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "interactive graphical scada system",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": "15.0.0.21041  and earlier"
      },
      {
        "model": "igss",
        "scope": null,
        "trust": 0.7,
        "vendor": "schneider electric",
        "version": null
      },
      {
        "model": "electric interactive graphical scada system definition",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "schneider",
        "version": "\u003c=v15.0.0.21041"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "15.0.0.21041",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "kimiya",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2021-22712",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 9.3,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2021-22712",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2021-31178",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "VHN-381186",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2021-22712",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "ZDI",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "id": "CVE-2021-22712",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "REQUIRED",
            "vectorString": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2021-22712",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "ZDI",
            "id": "CVE-2021-22712",
            "trust": 0.7,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-31178",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202103-808",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-381186",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-22712",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-22712"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address. Interactive Graphical SCADA System (IGSS) Is vulnerable to a buffer error.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of CGF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Supervisory Control System) system used by French Schneider Electric (Schneider Electric) to monitor and control industrial processes. \n\r\n\r\nInteractive Graphical SCADA System (IGSS) Definition V15.0.0.21041 and earlier versions have a buffer overflow vulnerability. The vulnerability stems from the program\u0027s failure to verify the pointer address correctly. Attackers can use this vulnerability to cause arbitrary reads and writes by importing malicious CGF (configuration group files)",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-22712"
      }
    ],
    "trust": 2.97
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-22712",
        "trust": 3.9
      },
      {
        "db": "SCHNEIDER",
        "id": "SEVD-2021-068-01",
        "trust": 1.8
      },
      {
        "db": "ZDI",
        "id": "ZDI-21-269",
        "trust": 1.4
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-21-070-01",
        "trust": 1.2
      },
      {
        "db": "JVN",
        "id": "JVNVU92960744",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-12669",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.0888",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-22712",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-22712"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "id": "VAR-202103-0443",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      }
    ],
    "trust": 1.29090906
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      }
    ]
  },
  "last_update_date": "2023-12-18T11:57:31.494000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Product\u00a0Documentation\u00a0\u0026\u00a0Software\u00a0downloads Schneider\u00a0Electric\u00a0Security\u00a0Notification",
        "trust": 0.8,
        "url": "https://www.se.com/ww/en/download/document/sevd-2021-068-01"
      },
      {
        "title": "Schneider Electric has issued an update to correct this vulnerability.",
        "trust": 0.7,
        "url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-068-01"
      },
      {
        "title": "Patch for Schneider Electric Interactive Graphical SCADA System buffer overflow vulnerability (CNVD-2021-31178)",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/261441"
      },
      {
        "title": "Schneider Electric Interactive Graphical SCADA System Buffer error vulnerability fix",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=144189"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-119",
        "trust": 1.1
      },
      {
        "problemtype": "Buffer error (CWE-119) [ Other ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-068-01"
      },
      {
        "trust": 1.8,
        "url": "https://www.se.com/ww/en/download/document/sevd-2021-068-01"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22712"
      },
      {
        "trust": 1.2,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu92960744/"
      },
      {
        "trust": 0.7,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-21-269/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.0888"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/119.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-22712"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-22712"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-03-11T00:00:00",
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "date": "2021-04-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "date": "2021-03-11T00:00:00",
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "date": "2021-03-11T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-22712"
      },
      {
        "date": "2021-11-19T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "date": "2021-03-11T21:15:12.327000",
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "date": "2021-03-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-03-11T00:00:00",
        "db": "ZDI",
        "id": "ZDI-21-269"
      },
      {
        "date": "2021-04-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-31178"
      },
      {
        "date": "2021-03-17T00:00:00",
        "db": "VULHUB",
        "id": "VHN-381186"
      },
      {
        "date": "2021-03-17T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-22712"
      },
      {
        "date": "2021-11-19T07:20:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      },
      {
        "date": "2021-03-17T20:23:56.500000",
        "db": "NVD",
        "id": "CVE-2021-22712"
      },
      {
        "date": "2021-03-19T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Interactive\u00a0Graphical\u00a0SCADA\u00a0System\u00a0 Buffer Error Vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-004402"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "buffer error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202103-808"
      }
    ],
    "trust": 0.6
  }
}

GHSA-F9RM-V687-4P23

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-22712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address.",
  "id": "GHSA-f9rm-v687-4p23",
  "modified": "2022-05-24T17:44:17Z",
  "published": "2022-05-24T17:44:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22712"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-068-01"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2021-068-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-22712 (GCVE-0-2021-22712)

Solution

Solution

Tags

Sightings

Nomenclature