{ "document": { "acknowledgments": [ { "names": [ "Natnael Samson (@NattiSamson)", "an anonymous party" ], "organization": "Trend Micro 's Zero Day Initiative (ZDI)", "summary": "reporting these vulnerabilities to NCCIC" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "summary", "text": "Natnael Samson (@NattiSamson) and an anonymous researcher working with Trend Micro 's Zero Day Initiative (ZDI) reported these vulnerabilities to NCCIC.", "title": "Summary" }, { "category": "other", "text": "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "CISAservicedesk@cisa.dhs.gov", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSA-19-106-01 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-106-01.json" }, { "category": "self", "summary": "ICS Advisory ICSA-19-106-01 Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-106-01" } ], "title": "ICSA-19-106-01_Delta Industrial Automation CNCSoft", "tracking": { "current_release_date": "2019-04-16T00:00:00.000000Z", "generator": { "engine": { "name": "CISA USCert CSAF Generator", "version": "1" } }, "id": "ICSA-19-106-01", "initial_release_date": "2019-04-16T00:00:00.000000Z", "revision_history": [ { "date": "2019-04-16T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSA-19-106-01 Delta Industrial Automation CNCSoft" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "<= 1.00.88", "product": { "name": "CNCSoft ScreenEditor: Version 1.00.88 and prior", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "CNCSoft ScreenEditor" } ], "category": "vendor", "name": "Delta Electronics" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-10947", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. This may occur because CNCSoft lacks user input validation before copying data from project files onto the stack.CVE-2019-10947 has been assigned to these vulnerabilities. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Update to the latest version of ScreenEditor 1.00.89. This updated version can be found at:", "product_ids": [ "CSAFPID-0001" ], "url": "http://www.deltaww.com/services/DownloadCenter2.aspx?secID=8&pid=2&tid=0&CID=06&itemID=060202&typeID=1&downloadID=&title=&dataType=8" }, { "category": "mitigation", "details": "Restrict the interaction with the application to trusted files.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-10947" }, { "cve": "CVE-2019-10951", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap.CVE-2019-10951 has been assigned to these vulnerabilities. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Update to the latest version of ScreenEditor 1.00.89. This updated version can be found at:", "product_ids": [ "CSAFPID-0001" ], "url": "http://www.deltaww.com/services/DownloadCenter2.aspx?secID=8&pid=2&tid=0&CID=06&itemID=060202&typeID=1&downloadID=&title=&dataType=8" }, { "category": "mitigation", "details": "Restrict the interaction with the application to trusted files.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-10951" }, { "cve": "CVE-2019-10949", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Multiple out-of-bounds read vulnerabilities may be exploited, allowing information disclosure due to a lack of user input validation for processing specially crafted project files.CVE-2019-10949 has been assigned to these vulnerabilities. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Update to the latest version of ScreenEditor 1.00.89. This updated version can be found at:", "product_ids": [ "CSAFPID-0001" ], "url": "http://www.deltaww.com/services/DownloadCenter2.aspx?secID=8&pid=2&tid=0&CID=06&itemID=060202&typeID=1&downloadID=&title=&dataType=8" }, { "category": "mitigation", "details": "Restrict the interaction with the application to trusted files.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-10949" } ] }