CVE-2021-44768 - OpenCVE

Delta Electronics CNCSoft (Version 1.01.30) and prior) is vulnerable to an out-of-bounds read while processing a specific project file, which may allow an attacker to disclose information.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Deltaww	Cncsoft Screeneditor

Configuration 1 [-]

cpe:2.3:a:deltaww:cncsoft_screeneditor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-25T18:02:31.628748Z

Updated: 2024-09-16T17:58:56.921Z

Reserved: 2021-12-14T00:00:00

Link: CVE-2021-44768

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-25T19:15:09.573

Modified: 2022-03-31T01:15:52.263

Link: CVE-2021-44768

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CNCSoft", "vendor": "Delta Electronics", "versions": [{"lessThanOrEqual": "1.01.30", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2021-12-16T00:00:00", "descriptions": [{"lang": "en", "value": "Delta Electronics CNCSoft (Version 1.01.30) and prior) is vulnerable to an out-of-bounds read while processing a specific project file, which may allow an attacker to disclose information."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-25T18:02:31", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-02"}], "solutions": [{"lang": "en", "value": "Delta Electronics recommends users upgrade to the latest available patch.\n\nDelta Electronics also recommends users apply the following mitigations to reduce the risk of exploit:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices."}], "source": {"advisory": "ICSA-21-350-02", "discovery": "UNKNOWN"}, "title": "Delta Electronics CNCSoft Out-of-bounds Read", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-12-16T18:29:00.000Z", "ID": "CVE-2021-44768", "STATE": "PUBLIC", "TITLE": "Delta Electronics CNCSoft Out-of-bounds Read"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CNCSoft", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.01.30"}]}}]}, "vendor_name": "Delta Electronics"}]}}, "credit": [{"lang": "eng", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronics CNCSoft (Version 1.01.30) and prior) is vulnerable to an out-of-bounds read while processing a specific project file, which may allow an attacker to disclose information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-125 Out-of-bounds Read"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-02"}]}, "solution": [{"lang": "en", "value": "Delta Electronics recommends users upgrade to the latest available patch.\n\nDelta Electronics also recommends users apply the following mitigations to reduce the risk of exploit:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices."}], "source": {"advisory": "ICSA-21-350-02", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.199Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-44768", "datePublished": "2022-03-25T18:02:31.628748Z", "dateReserved": "2021-12-14T00:00:00", "dateUpdated": "2024-09-16T17:58:56.921Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:cncsoft_screeneditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A217739-F077-44A5-A18D-ED5460A07639", "versionEndIncluding": "1.01.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Delta Electronics CNCSoft (Version 1.01.30) and prior) is vulnerable to an out-of-bounds read while processing a specific project file, which may allow an attacker to disclose information."}, {"lang": "es", "value": "Delta Electronics CNCSoft (Versi\u00f3n 1.01.30) y anteriores) es vulnerable a una lectura fuera de l\u00edmites mientras es procesado un archivo de proyecto espec\u00edfico, lo que puede permitir a un atacante divulgar informaci\u00f3n"}], "id": "CVE-2021-44768", "lastModified": "2022-03-31T01:15:52.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-03-25T19:15:09.573", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}