cvelistv5 - cve-2017-13993

CVE-2017-13993 (GCVE-0-2017-13993)

Vulnerability from cvelistv5 – Published: 2017-10-04 07:00 – Updated: 2024-08-05 19:13

Summary

Severity ?

No CVSS data available.

CWE

CWE-428

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01	x_refsource_MISC
	http://www.securityfocus.com/bid/100659	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	i-SENS, Inc. SmartLog Diabetes Management Software	Affected: i-SENS, Inc. SmartLog Diabetes Management Software

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T19:13:41.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
          },
          {
            "name": "100659",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100659"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "i-SENS, Inc. SmartLog Diabetes Management Software",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "i-SENS, Inc. SmartLog Diabetes Management Software"
            }
          ]
        }
      ],
      "datePublic": "2017-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-428",
              "description": "CWE-428",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-04T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
        },
        {
          "name": "100659",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100659"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-13993",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "i-SENS, Inc. SmartLog Diabetes Management Software",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "i-SENS, Inc. SmartLog Diabetes Management Software"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-428"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
            },
            {
              "name": "100659",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100659"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-13993",
    "datePublished": "2017-10-04T07:00:00",
    "dateReserved": "2017-08-30T00:00:00",
    "dateUpdated": "2024-08-05T19:13:41.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:i-sens:smartlog_diabetes_management_software:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.4.0\", \"matchCriteriaId\": \"236385AB-1254-41A1-B996-051893D6CB78\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient.\"}, {\"lang\": \"es\", \"value\": \"Se ha descubierto un problema de elemento o ruta de b\\u00fasqueda no controlados en i-SENS SmartLog Diabetes Management Software en la versi\\u00f3n 2.4.0 y anteriores. Se ha identificado una vulnerabilidad no controlada del elemento de ruta de acceso que de hecho podr\\u00eda explotarse colocando un archivo DLL especialmente manipulado en la ruta de b\\u00fasqueda. Si el DLL malicioso se carga antes que el DLL v\\u00e1lido, un atacante podr\\u00eda ejecutar c\\u00f3digo arbitrario en el sistema. Esta vulnerabilidad no afecta al monitor de glucosa en sangre conectado y no impacta en el tratamiento al paciente.\"}]",
      "id": "CVE-2017-13993",
      "lastModified": "2024-11-21T03:11:55.583",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 9.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-10-05T01:29:05.197",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/100659\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Patch\", \"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"http://www.securityfocus.com/bid/100659\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-428\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-427\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-13993\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2017-10-05T01:29:05.197\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema de elemento o ruta de b\u00fasqueda no controlados en i-SENS SmartLog Diabetes Management Software en la versi\u00f3n 2.4.0 y anteriores. Se ha identificado una vulnerabilidad no controlada del elemento de ruta de acceso que de hecho podr\u00eda explotarse colocando un archivo DLL especialmente manipulado en la ruta de b\u00fasqueda. Si el DLL malicioso se carga antes que el DLL v\u00e1lido, un atacante podr\u00eda ejecutar c\u00f3digo arbitrario en el sistema. Esta vulnerabilidad no afecta al monitor de glucosa en sangre conectado y no impacta en el tratamiento al paciente.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-428\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-427\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:i-sens:smartlog_diabetes_management_software:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4.0\",\"matchCriteriaId\":\"236385AB-1254-41A1-B996-051893D6CB78\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100659\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/100659\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}

ICSMA-17-250-01

Vulnerability from csaf_cisa - Published: 2017-09-07 00:00 - Updated: 2017-09-07 00:00

Summary

i-SENS, Inc. SmartLog Diabetes Management Software

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Independent researcher Mark Cross has identified an uncontrolled search path element vulnerability in i-SENS, Inc. SmartLog Diabetes Management Software. i-SENS has produced an update that mitigates this vulnerability. Mark Cross has tested the update to validate that it resolves the vulnerability.

Recommended Practices

NCCIC/ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page athttp://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available in the ICS -CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).

Recommended Practices

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Exploitability

This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads the specially crafted, malicious DLL file.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Mark Cross"
        ],
        "summary": "identifying an uncontrolled search path element vulnerability in i-SENS, Inc. SmartLog Diabetes Management Software and testing the update to validate that it resolves the vulnerability. i-SENS has produced an update that mitigates this vulnerability"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Independent researcher Mark Cross has identified an uncontrolled search path element vulnerability in i-SENS, Inc. SmartLog Diabetes Management Software. i-SENS has produced an update that mitigates this vulnerability. Mark Cross has tested the update to validate that it resolves the vulnerability.",
        "title": "Risk evaluation"
      },
      {
        "category": "general",
        "text": "NCCIC/ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page athttp://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available in the ICS -CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads the specially crafted, malicious DLL file.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-250-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-250-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-250-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-250-01"
      }
    ],
    "title": "i-SENS, Inc. SmartLog Diabetes Management Software",
    "tracking": {
      "current_release_date": "2017-09-07T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-17-250-01",
      "initial_release_date": "2017-09-07T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-09-07T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-17-250-01 i-SENS Inc. Diabetes Management Software "
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 2.4.0",
                "product": {
                  "name": "SmartLog Diabetes Management Software - \u003c 2.4.0",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "SmartLog Diabetes Management Software"
          }
        ],
        "category": "vendor",
        "name": "i-SENS Inc"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-13993",
      "cwe": {
        "id": "CWE-428",
        "name": "Unquoted Search Path or Element"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient. CVE-2017-13993 been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "cwe.mitre.org",
          "url": "http://cwe.mitre.org/data/definitions/428.html"
        },
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13993"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "i-SENS produced an update for the SmartLog Diabetes Management Software, Version 2.4.1, which was released to the i-SENS website on September 1, 2017. It can be found at the following location:",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "http://push.i-sens.com/smartlog2/2.4.1/Install_SmartLog_2.4.1.exe",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "http://push.i-sens.com/smartlog2/2.4.1/Install_SmartLog_2.4.1.exe"
        },
        {
          "category": "vendor_fix",
          "details": "1.Do not click web links or open unsolicited attachments in email messages.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "2.Refer to Recognizing and Avoiding Email Scamsd\nfor more information on avoiding email scams.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "3.Refer to Avoiding Social Engineering and Phishing Attackse\nfor more information on social engineering attacks",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

GSD-2017-13993

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-13993

Aliases

CVE-2017-13993

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-13993",
    "description": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient.",
    "id": "GSD-2017-13993"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-13993"
      ],
      "details": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient.",
      "id": "GSD-2017-13993",
      "modified": "2023-12-13T01:21:01.896213Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2017-13993",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "i-SENS, Inc. SmartLog Diabetes Management Software",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "i-SENS, Inc. SmartLog Diabetes Management Software"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-428"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
          },
          {
            "name": "100659",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/100659"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:i-sens:smartlog_diabetes_management_software:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-13993"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-427"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
            },
            {
              "name": "100659",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/100659"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:23Z",
      "publishedDate": "2017-10-05T01:29Z"
    }
  }
}

FKIE_CVE-2017-13993

Vulnerability from fkie_nvd - Published: 2017-10-05 01:29 - Updated: 2025-04-20 01:37

Severity ?

7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/100659	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01	Patch, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100659	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01	Patch, Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	i-sens	smartlog_diabetes_management_software	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:i-sens:smartlog_diabetes_management_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "236385AB-1254-41A1-B996-051893D6CB78",
              "versionEndIncluding": "2.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema de elemento o ruta de b\u00fasqueda no controlados en i-SENS SmartLog Diabetes Management Software en la versi\u00f3n 2.4.0 y anteriores. Se ha identificado una vulnerabilidad no controlada del elemento de ruta de acceso que de hecho podr\u00eda explotarse colocando un archivo DLL especialmente manipulado en la ruta de b\u00fasqueda. Si el DLL malicioso se carga antes que el DLL v\u00e1lido, un atacante podr\u00eda ejecutar c\u00f3digo arbitrario en el sistema. Esta vulnerabilidad no afecta al monitor de glucosa en sangre conectado y no impacta en el tratamiento al paciente."
    }
  ],
  "id": "CVE-2017-13993",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-10-05T01:29:05.197",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100659"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Patch",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100659"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-428"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-427"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2017-25724

Vulnerability from cnvd - Published: 2017-09-08

Title

i-SENS SmartLog Diabetes Management Software代码执行漏洞

Description

SmartLog糖尿病管理软件是用于通过USB将血糖仪连接到计算机来跟踪和监测个人血糖水平的软件。 i-SENS SmartLog Diabetes Management Software存在代码执行漏洞，如果恶意DLL在有效的DLL之前加载，攻击者可以通过在搜索路径中放置特制的DLL文件在系统上执行任意代码。

Severity

高

Patch Name

i-SENS SmartLog Diabetes Management Software代码执行漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://push.i-sens.com/smartlog2/2.4.1/Install_SmartLog_2.4.1.exe

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01

Impacted products

Name
i-SENS SmartLog Diabetes Management Software <=2.4.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-13993"
    }
  },
  "description": "SmartLog\u7cd6\u5c3f\u75c5\u7ba1\u7406\u8f6f\u4ef6\u662f\u7528\u4e8e\u901a\u8fc7USB\u5c06\u8840\u7cd6\u4eea\u8fde\u63a5\u5230\u8ba1\u7b97\u673a\u6765\u8ddf\u8e2a\u548c\u76d1\u6d4b\u4e2a\u4eba\u8840\u7cd6\u6c34\u5e73\u7684\u8f6f\u4ef6\u3002\r\n\r\ni-SENS SmartLog Diabetes Management Software\u5b58\u5728\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5982\u679c\u6076\u610fDLL\u5728\u6709\u6548\u7684DLL\u4e4b\u524d\u52a0\u8f7d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u641c\u7d22\u8def\u5f84\u4e2d\u653e\u7f6e\u7279\u5236\u7684DLL\u6587\u4ef6\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Mark Cross",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a \r\nhttp://push.i-sens.com/smartlog2/2.4.1/Install_SmartLog_2.4.1.exe",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-25724",
  "openTime": "2017-09-08",
  "patchDescription": "SmartLog\u7cd6\u5c3f\u75c5\u7ba1\u7406\u8f6f\u4ef6\u662f\u7528\u4e8e\u901a\u8fc7USB\u5c06\u8840\u7cd6\u4eea\u8fde\u63a5\u5230\u8ba1\u7b97\u673a\u6765\u8ddf\u8e2a\u548c\u76d1\u6d4b\u4e2a\u4eba\u8840\u7cd6\u6c34\u5e73\u7684\u8f6f\u4ef6\u3002\r\n\r\ni-SENS SmartLog Diabetes Management Software\u5b58\u5728\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5982\u679c\u6076\u610fDLL\u5728\u6709\u6548\u7684DLL\u4e4b\u524d\u52a0\u8f7d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u641c\u7d22\u8def\u5f84\u4e2d\u653e\u7f6e\u7279\u5236\u7684DLL\u6587\u4ef6\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "i-SENS SmartLog Diabetes Management Software\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "i-SENS SmartLog Diabetes Management Software \u003c=2.4.0"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01",
  "serverity": "\u9ad8",
  "submitTime": "2017-09-08",
  "title": "i-SENS SmartLog Diabetes Management Software\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

VAR-201710-0790

Vulnerability from variot - Updated: 2023-12-18 13:38

An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient. SmartLog Diabetes Management Software is software for tracking and monitoring individual blood glucose levels by connecting a blood glucose meter to a computer via USB. i-SENS SmartLog Diabetes Management Software has a code execution vulnerability

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201710-0790",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "smartlog diabetes management software",
        "scope": "lte",
        "trust": 1.8,
        "vendor": "i sens",
        "version": "2.4.0"
      },
      {
        "model": "smartlog diabetes management software",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "i sens",
        "version": "2.4.0"
      },
      {
        "model": "smartlog diabetes management software",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "i sens",
        "version": "\u003c=2.4.0"
      },
      {
        "model": "smartlog diabetes management software",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "i sens",
        "version": "2.4.1"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "smartlog diabetes management",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:i-sens:smartlog_diabetes_management_software:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mark Cross",
    "sources": [
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2017-13993",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 9.3,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2017-13993",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "CNVD-2017-25724",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2017-13993",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2017-13993",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-25724",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201709-527",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954",
            "trust": 0.2,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient. SmartLog Diabetes Management Software is software for tracking and monitoring individual blood glucose levels by connecting a blood glucose meter to a computer via USB. i-SENS SmartLog Diabetes Management Software has a code execution vulnerability",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-13993",
        "trust": 3.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-250-01",
        "trust": 3.3
      },
      {
        "db": "BID",
        "id": "100659",
        "trust": 1.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "78F2231C-FB79-43F8-9428-2A4DAAEB1954",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "id": "VAR-201710-0790",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      }
    ],
    "trust": 1.4
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:38:51.887000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SmartLog",
        "trust": 0.8,
        "url": "http://www.caresens.com.au/products/software/smartlog"
      },
      {
        "title": "Patch for i-SENS SmartLog Diabetes Management Software Code Execution Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/101788"
      },
      {
        "title": "i-SENS SmartLog Diabetes Management Software Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=74734"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-427",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.3,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-250-01"
      },
      {
        "trust": 1.6,
        "url": "http://www.securityfocus.com/bid/100659"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-13993"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-13993"
      },
      {
        "trust": 0.3,
        "url": "http://www.caresens.com.au/products/software/smartlog"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-08T00:00:00",
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "date": "2017-09-08T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "date": "2017-09-07T00:00:00",
        "db": "BID",
        "id": "100659"
      },
      {
        "date": "2017-11-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "date": "2017-10-05T01:29:05.197000",
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "date": "2017-09-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-08T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      },
      {
        "date": "2017-09-07T00:00:00",
        "db": "BID",
        "id": "100659"
      },
      {
        "date": "2017-11-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-009405"
      },
      {
        "date": "2019-10-09T23:23:41.343000",
        "db": "NVD",
        "id": "CVE-2017-13993"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "100659"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "i-SENS SmartLog Diabetes Management Software Code execution vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-25724"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Code problem",
    "sources": [
      {
        "db": "IVD",
        "id": "78f2231c-fb79-43f8-9428-2a4daaeb1954"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201709-527"
      }
    ],
    "trust": 0.8
  }
}

GHSA-Q9GX-P594-4CW3

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37

Details

Severity ?

7.8 (High)


                  
                    CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-13993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427",
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-05T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "An Uncontrolled Search Path or Element issue was discovered in i-SENS SmartLog Diabetes Management Software, Version 2.4.0 and prior versions. An uncontrolled search path element vulnerability has been identified which could be exploited by placing a specially crafted DLL file in the search path. If the malicious DLL is loaded prior to the valid DLL, an attacker could execute arbitrary code on the system. This vulnerability does not affect the connected blood glucose monitor and would not impact delivery of therapy to the patient.",
  "id": "GHSA-q9gx-p594-4cw3",
  "modified": "2022-05-13T01:37:42Z",
  "published": "2022-05-13T01:37:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13993"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100659"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-13993 (GCVE-0-2017-13993)

ICSMA-17-250-01

GSD-2017-13993

FKIE_CVE-2017-13993

CNVD-2017-25724

VAR-201710-0790

GHSA-Q9GX-P594-4CW3

Tags

Sightings

Nomenclature