cnvd - cnvd-2017-25724

CNVD-2017-25724

Vulnerability from cnvd - Published: 2017-09-08

Title

i-SENS SmartLog Diabetes Management Software代码执行漏洞

Description

SmartLog糖尿病管理软件是用于通过USB将血糖仪连接到计算机来跟踪和监测个人血糖水平的软件。 i-SENS SmartLog Diabetes Management Software存在代码执行漏洞，如果恶意DLL在有效的DLL之前加载，攻击者可以通过在搜索路径中放置特制的DLL文件在系统上执行任意代码。

Severity

高

Patch Name

i-SENS SmartLog Diabetes Management Software代码执行漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://push.i-sens.com/smartlog2/2.4.1/Install_SmartLog_2.4.1.exe

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01

Impacted products

Name
i-SENS SmartLog Diabetes Management Software <=2.4.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-13993"
    }
  },
  "description": "SmartLog\u7cd6\u5c3f\u75c5\u7ba1\u7406\u8f6f\u4ef6\u662f\u7528\u4e8e\u901a\u8fc7USB\u5c06\u8840\u7cd6\u4eea\u8fde\u63a5\u5230\u8ba1\u7b97\u673a\u6765\u8ddf\u8e2a\u548c\u76d1\u6d4b\u4e2a\u4eba\u8840\u7cd6\u6c34\u5e73\u7684\u8f6f\u4ef6\u3002\r\n\r\ni-SENS SmartLog Diabetes Management Software\u5b58\u5728\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5982\u679c\u6076\u610fDLL\u5728\u6709\u6548\u7684DLL\u4e4b\u524d\u52a0\u8f7d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u641c\u7d22\u8def\u5f84\u4e2d\u653e\u7f6e\u7279\u5236\u7684DLL\u6587\u4ef6\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Mark Cross",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a \r\nhttp://push.i-sens.com/smartlog2/2.4.1/Install_SmartLog_2.4.1.exe",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-25724",
  "openTime": "2017-09-08",
  "patchDescription": "SmartLog\u7cd6\u5c3f\u75c5\u7ba1\u7406\u8f6f\u4ef6\u662f\u7528\u4e8e\u901a\u8fc7USB\u5c06\u8840\u7cd6\u4eea\u8fde\u63a5\u5230\u8ba1\u7b97\u673a\u6765\u8ddf\u8e2a\u548c\u76d1\u6d4b\u4e2a\u4eba\u8840\u7cd6\u6c34\u5e73\u7684\u8f6f\u4ef6\u3002\r\n\r\ni-SENS SmartLog Diabetes Management Software\u5b58\u5728\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5982\u679c\u6076\u610fDLL\u5728\u6709\u6548\u7684DLL\u4e4b\u524d\u52a0\u8f7d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u641c\u7d22\u8def\u5f84\u4e2d\u653e\u7f6e\u7279\u5236\u7684DLL\u6587\u4ef6\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "i-SENS SmartLog Diabetes Management Software\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "i-SENS SmartLog Diabetes Management Software \u003c=2.4.0"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01",
  "serverity": "\u9ad8",
  "submitTime": "2017-09-08",
  "title": "i-SENS SmartLog Diabetes Management Software\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2017-13993 (GCVE-0-2017-13993)

Vulnerability from cvelistv5 – Published: 2017-10-04 07:00 – Updated: 2024-08-05 19:13

Summary

An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient.

Severity ?

No CVSS data available.

CWE

CWE-428

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01	x_refsource_MISC
	http://www.securityfocus.com/bid/100659	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	i-SENS, Inc. SmartLog Diabetes Management Software	Affected: i-SENS, Inc. SmartLog Diabetes Management Software

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T19:13:41.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
          },
          {
            "name": "100659",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100659"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "i-SENS, Inc. SmartLog Diabetes Management Software",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "i-SENS, Inc. SmartLog Diabetes Management Software"
            }
          ]
        }
      ],
      "datePublic": "2017-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-428",
              "description": "CWE-428",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-04T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
        },
        {
          "name": "100659",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100659"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-13993",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "i-SENS, Inc. SmartLog Diabetes Management Software",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "i-SENS, Inc. SmartLog Diabetes Management Software"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-428"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
            },
            {
              "name": "100659",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100659"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-13993",
    "datePublished": "2017-10-04T07:00:00",
    "dateReserved": "2017-08-30T00:00:00",
    "dateUpdated": "2024-08-05T19:13:41.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-25724

CVE-2017-13993 (GCVE-0-2017-13993)

Tags

Sightings

Nomenclature