CVE-2021-42698 - Vulnerability Details - OpenCVE

Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Malicious manipulation of these files may allow an attacker to corrupt memory.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00126.

Key SSVC decision points have not yet been added.

Vendors	Products
Azeotech	Daqfactory

Configuration 1 [-]

OR	cpe:2.3:a:azeotech:daqfactory::::::::
	cpe:2.3:a:azeotech:daqfactory:18.1:build_2347::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

Users are discouraged from using documents from unknown/untrusted sources. Users are encouraged to store .ctl files in a folder only writeable by admin-level users. Users are encouraged to operate in “Safe Mode” when loading documents that have been out of their control. Users are encouraged to apply a document editing password to their documents. Users should avoid using the Real Time Web-Connect menu items and instead connect to DAQConnect using script.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-11-05T15:39:34

Updated: 2024-08-04T03:38:50.112Z

Reserved: 2021-10-18T00:00:00

Link: CVE-2021-42698

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-05T16:15:07.823

Modified: 2024-11-21T06:27:59.767

Link: CVE-2021-42698

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "DAQFactory", "vendor": "AzeoTech", "versions": [{"lessThanOrEqual": "New version", "status": "affected", "version": "All versions", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Malicious manipulation of these files may allow an attacker to corrupt memory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-05T15:39:34", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02"}], "source": {"discovery": "UNKNOWN"}, "title": "AzeoTech DAQFactory", "workarounds": [{"lang": "en", "value": "Users are discouraged from using documents from unknown/untrusted sources.\nUsers are encouraged to store .ctl files in a folder only writeable by admin-level users.\nUsers are encouraged to operate in \u201cSafe Mode\u201d when loading documents that have been out of their control.\nUsers are encouraged to apply a document editing password to their documents.\nUsers should avoid using the Real Time Web-Connect menu items and instead connect to DAQConnect using script."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-42698", "STATE": "PUBLIC", "TITLE": "AzeoTech DAQFactory"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DAQFactory", "version": {"version_data": [{"version_affected": "<=", "version_name": "All versions", "version_value": "New version"}]}}]}, "vendor_name": "AzeoTech"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Malicious manipulation of these files may allow an attacker to corrupt memory."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Users are discouraged from using documents from unknown/untrusted sources.\nUsers are encouraged to store .ctl files in a folder only writeable by admin-level users.\nUsers are encouraged to operate in \u201cSafe Mode\u201d when loading documents that have been out of their control.\nUsers are encouraged to apply a document editing password to their documents.\nUsers should avoid using the Real Time Web-Connect menu items and instead connect to DAQConnect using script."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:50.112Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-42698", "datePublished": "2021-11-05T15:39:34", "dateReserved": "2021-10-18T00:00:00", "dateUpdated": "2024-08-04T03:38:50.112Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:*", "matchCriteriaId": "100D1A60-4B1A-469D-845D-682797BF2E82", "versionEndIncluding": "18.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:azeotech:daqfactory:18.1:build_2347:*:*:*:*:*:*", "matchCriteriaId": "851124B6-B4CD-429C-A2F1-AF7F49586D98", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Malicious manipulation of these files may allow an attacker to corrupt memory."}, {"lang": "es", "value": "Los archivos de proyecto son objetos de memoria almacenados en forma de datos binarios serializados que posteriormente pueden ser le\u00eddos y deserializados de nuevo para instanciar los objetos originales en memoria. La manipulaci\u00f3n maliciosa de estos archivos puede permitir a un atacante corromper la memoria"}], "id": "CVE-2021-42698", "lastModified": "2024-11-21T06:27:59.767", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-05T16:15:07.823", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}