Risk | High |
Patch available | YES |
Number of vulnerabilities | 5 |
CVE-ID | CVE-2018-19011 CVE-2018-19013 CVE-2018-19015 CVE-2018-19017 CVE-2018-19019 |
CWE-ID | CWE-94 CWE-77 CWE-416 CWE-843 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
CX-Supervisor Server applications / Frameworks for developing and running applications |
Vendor | Omron |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
EUVDB-ID: #VU17080
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19011
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to code injection. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files and execute arbitrary code that has been injected into a file under the privileges of the application.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 3.5.0.11.
Vulnerable software versionsCX-Supervisor: 3.3.0 - 3.4.2
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-19-017-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17081
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19013
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to command injection. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files that allows to inject and execute commands to delete files and/or delete the contents of a file on the device.
MitigationUpdate to version 3.5.0.11.
Vulnerable software versionsCX-Supervisor: 3.3.0 - 3.4.2
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-19-017-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17082
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19015
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to command injection. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files that allows to inject and execute commands to launch programs and create, write, and read files on the device.
MitigationUpdate to version 3.5.0.11.
Vulnerable software versionsCX-Supervisor: 3.3.0 - 3.4.2
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-19-017-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17078
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19017
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when malicious input. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files, trigger memory corruption and execute arbitrary code under the privileges of the application.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 3.5.0.11.
Vulnerable software versionsCX-Supervisor: 3.3.0 - 3.4.2
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-19-017-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17079
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19019
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to type confusion when malicious input. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files, trigger memory corruption and execute arbitrary code under the privileges of the application.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 3.5.0.11.
Vulnerable software versionsCX-Supervisor: 3.3.0 - 3.4.2
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-19-017-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.