CVE-2019-10994 - OpenCVE

Processing a specially crafted project file in LAquis SCADA 4.3.1.71 may trigger an out-of-bounds read, which may allow an attacker to obtain sensitive information. The attacker must have local access to the system. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Laquisscada	Scada

Configuration 1 [-]

cpe:2.3:a:laquisscada:scada:4.3.1.71:*:*:*:*:*:*:*

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsa-19-213-06	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2019-08-05T18:41:18

Updated: 2019-08-05T18:41:18

Reserved: 2019-04-08T00:00:00

Link: CVE-2019-10994

JSON object: View

NVD Information

Status : Modified

Published: 2019-08-05T19:15:11.193

Modified: 2019-10-09T23:45:10.150

Link: CVE-2019-10994

JSON object: View

Redhat Information

No data.

CWE

CWE-125

{"containers": {"cna": {"affected": [{"product": "LCDS LAquis SCADA", "vendor": "n/a", "versions": [{"status": "affected", "version": "4.3.1.71"}]}], "descriptions": [{"lang": "en", "value": "Processing a specially crafted project file in LAquis SCADA 4.3.1.71 may trigger an out-of-bounds read, which may allow an attacker to obtain sensitive information. The attacker must have local access to the system. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "OUT-OF-BOUNDS READ CWE-125", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-05T18:41:18", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-213-06"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-10994", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "LCDS LAquis SCADA", "version": {"version_data": [{"version_value": "4.3.1.71"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Processing a specially crafted project file in LAquis SCADA 4.3.1.71 may trigger an out-of-bounds read, which may allow an attacker to obtain sensitive information. The attacker must have local access to the system. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "OUT-OF-BOUNDS READ CWE-125"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-213-06", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-213-06"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-10994", "datePublished": "2019-08-05T18:41:18", "dateReserved": "2019-04-08T00:00:00", "dateUpdated": "2019-08-05T18:41:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:laquisscada:scada:4.3.1.71:*:*:*:*:*:*:*", "matchCriteriaId": "00921E1E-7AD9-4AE5-8689-AD04A22FDA7C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Processing a specially crafted project file in LAquis SCADA 4.3.1.71 may trigger an out-of-bounds read, which may allow an attacker to obtain sensitive information. The attacker must have local access to the system. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}, {"lang": "es", "value": "El procesamiento de un archivo de proyecto especialmente dise\u00f1ado en LAquis SCADA versi\u00f3n 4.3.1.71, puede desencadenar una lectura fuera de l\u00edmites, lo que puede permitir a un atacante obtener informaci\u00f3n confidencial. El atacante requiere tener acceso local al sistema. Un puntaje base de CVSS v3 de 2.5 ha sido calculado; la cadena de vectores CVSS es (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."}], "id": "CVE-2019-10994", "lastModified": "2019-10-09T23:45:10.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-05T19:15:11.193", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-213-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}